You can set up Web Gateway as a virtual cloud resource in an AWS environment and configure it to run in the L2 Transparent network mode.
You can set up the resource with one network interface for Web Gateway in a single-arm configuration or include an additional network interface in a dual-arm configuration.
Complete the first steps of this task for any of the two configuration types. Then follow the instructions provided for either type.
- On an AWS web console, create a virtual private cloud (VPC) for Web Gateway.
- Create a VPC with IP address 192.168.0.0/16 (CIDR notation).
- Set up an Internet gateway and associate it with the VPC if none is associated yet.
- Create these subnets in the VPC:
- MWGNetwork — 192.168.10.0/24
- ClientNetwork — 192.168.5.0/24
- Allow all protocols and ports inbound for source 192.168.0.0/16 in the network security group that includes these subnets.
- Create a virtual machine as a platform for running the Web Gateway appliance software.
- Create a virtual machine.
- Use the AMI search field to locate the appliance software on the Skyhigh Content & Cloud Security Portal, then use the link to it to launch it on the virtual machine.
- Associate a network interface on Web Gateway with the MWGNetwork subnet.
- Disable source and destination checking for the network interface on Web Gateway that you associated with the MWGNetwork subnet.
- In the navigation pane, select Instance.
- Select the Web Gateway instance, then navigate to Actions | Networking | Change source/destination check.
- Select Stop if source and destination checking is enabled.
- Click Save.
- Create another virtual machine for use as a Web Gateway client.
- Create a virtual machine.
- Associate a network interface on this virtual machine with the ClientNetwork subnet.
- Create a routing table.
- In the navigation pane, select Route Tables.
- Optionally, type a table name under Name Tag.
- Under VPC, select the VPC for Web Gateway.
- Select Add tags, and under Key and Value, type key names and values for every table tag you want to add.
- Select Create.
- Navigate to Subnet Associations and associate this routing table with the ClientNetwork subnet.
If you want to set up a single-arm configuration, continue with step 7. Otherwise, continue with the next step to add another network interface for a dual-arm configuration.
- Add a network interface for a dual-arm configuration.
- Set up a network interface under the ClientNetwork subnet.
- Associate this network interface with the virtual machine for Web Gateway.
- Navigate to Routes and add an entry as follows.
- Destination — 0.0.0.0/0
- Target — One of the following, depending on the configuration type:
- For a single-arm configuration: The network interface on Web Gateway that you associated with the MWGNetwork subnet in step 2.
- For a dual-arm configuration: The network interface that you added in step 6.
- On Web Gateway, configure the appliance to run as a proxy in L2 Transparent network mode.
- On the user interface, select Configuration | Appliances.
- On the appliances tree, select this appliance, then select Proxies.
- Under Transparent Setup, select L2 Transparent.
- In the Port Redirects table, enter port redirects for the web traffic coming in under different network protocols, for example, HTTP or FTP, to be filtered on Web Gateway.
- Select File Editor, and on the appliances tree, select this appliance. Open the mwg system file for editing and append the following lines:
#Changes for L2 Transparent echo 1 > /proc/sys/net/ipv4/ip_forward masq_rule="POSTROUTING -o eth0 -j MASQUERADE" iptables -t nat -S | grep "$masq_rule" if [ $? != 0 ] then iptables -t nat -A $masq_rule fi dhclient -r eth0 dhclient eth0
These lines must also be appended for any additional inbound or outbound network interface as well, for example, if there is also an outbound eth2 interface on Web Gateway.
- If you are setting up a dual-arm configuration, complete these additional substeps:
- Select Appliances and on the appliances tree, select this appliance.
- Select Network Interfaces and under Enable these network interfaces, select eth1.
- Click Save Changes.
- Restart the appliance to let the changes take effect.
You have now set up a virtual Web Gateway appliance in L2 Transparent mode on AWS.
After associating the routing table with the ClientNetwork subnet, Internet connectivity to other systems in this subnet is lost. To restore it, you can add another entry to this table with the SSH or RDP public IP address of the subnet and an Internet gateway as target.
Depending on how Web Gateway is configured, more steps can be required to set up a virtual Web Gateway appliance in this mode. For example, if ports for network protection are assigned, they must be accounted for in a network security group.