Wednesday, February 3, 2010

IronPort WCCP Redirection and Proxy Bypass List

I came across a trap for the unwary today. It seems that the IronPort WSA products Proxy Bypass List for transparent mode redirection actually operates on sources as well as destinations.



From the Administrators Guide (note the "or from"):

You can configure the Web Security appliance so client requests to or from particular addresses bypass all processing by the Web Proxy.



Therefore, putting your internal address space in the list to prevent the caching engine from performing access checks and caching upon your intranet and other internal web content will actually prevent transparent redirection from working at all !!



Rather than do this, set up your access lists for WCCP redirection on your router or switch to prevent the requests with an internal destination from being redirected to your caching engine in the first place.



Ip access-list standard wccp-devices
Remark Only WCCP devices should be listed here

permit 10.200.10.10
permit 10.200.10.20

Ip access-list extended wccp-80
Remark Deny redirection of web traffic to internal services, then permit all http

Remark Internal Devices may be listed as deny (source) here to prevent them using transparent proxy
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip host 10.100.1.50 any
permit ip any any eq www


Ip access-list extended wccp-443
Remark Deny redirection of web traffic to internal services, then permit all https
Remark Internal Devices may be listed as deny (source) here to prevent them using transparent proxy
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip host 10.100.1.50 any
permit ip any any eq 443

ip wccp web-cache redirect-list wccp-80 group-list wccp-devices password password
ip wccp 120 redirect-list wccp-443 group-list wccp-devices password password

Interface [outbound network]
ip address 10.1.1.x
ip wccp web-cache redirect out
ip wccp 120 redirect out




Note that you can avoid the overhead associated with CEF forwarding for outbound traffic on your switches by using redirection on input traffic instead of output traffic, and this will provide faster redirection of packets, but this will often mean a much more complex configuration. If you're not approaching the performance limits of your switches and it's not going to impact VOIP call quality, it's probably going to be simpler to configure redirection on the outbound port to your firewall and measure during peak usage periods (usually lunch time for web usage) for any performance impact.



Cheers,
Sean

No comments:

Post a Comment