You can set up Web Gateway as a virtual cloud resource on an Azure platform and configure it to run in the L2 Transparent network mode.
You can set up the resource with one network interface for Web Gateway in a single-arm configuration or include an additional network interface in a dual-arm configuration.
Complete the first steps of this task for any of the two configuration types. Then follow the instructions provided for either type.
- On the Azure portal, create a virtual private cloud (VPC) for Web Gateway
- Create a VPC with IP address 192.168.0.0/16 (CIDR notation).
- Create these subnets in the VPC:
- MWGNetwork — 192.168.10.0/24
- ClientNetwork — 192.168.5.0/24
- Allow all protocols and ports inbound for source 192.168.0.0/16 in the network security group that includes these subnets.
- Create a virtual machine as a platform for running the Web Gateway appliance software.
- Create a virtual machine.
- Locate the appliance software in .vhd file format on the Skyhigh Content & Cloud Security Portal, also known as the Web Gateway extranet, then use this file to launch the appliance software on the virtual machine.
- Associate a network interface on Web Gateway with the MWGNetwork subnet .
- Disable IP forwarding for the network interface on Web Gateway that you associated with the MWGNetwork subnet.
- In the search field for resources, search for network interfaces and select the one for Web Gateway when it appears among the results.
- Under Settings, select IP Configurations, and make sure Disabled is selected.
- Click Save.
- Create another virtual machine for use as a Web Gateway client.
- Create a virtual machine.
- Associate a network interface on this virtual machine with the ClientNetwork subnet.
- Create a routing table for the ClientNetwork subnet.
- Search for virtual networks and select the VPC you created for Web Gateway when it appears among the results.
- Under Subnets, select the ClientNetwork subnet you created in the VPC.
- Under Route Table, select the one you want to associate with this subnet.
- Select Create.
If you want to set up a single-arm configuration, continue with step 6. Otherwise, continue with the next step to add another network interface for a dual-arm configuration.
- Add a network interface for a dual-arm configuration.
- Set up a network interface under the ClientNetwork subnet.
- Enable IP forwarding for this network interface, see step 3 where you disabled it for a network interface.
- Associate this network interface with the virtual machine for Web Gateway.
- Navigate to Routes and add an entry as follows.
- Address Prefix — 0.0.0.0/0
- Next-Hop Type — Virtual Appliance
- Next-Hop IP Address — One of the following, depending on the configuration type:
- For a single-arm configuration: The IP address of the network interface on Web Gateway that you associated with the MWGNetwork subnet in step 2.
- For a dual-arm configuration: The IP address of the network interface that you added in step 6.
- On Web Gateway, configure the appliance to run as a proxy in L2 Transparent network mode.
- On the user interface, select Configuration | Appliances.
- On the appliances tree, select this appliance, then select Proxies.
- Under Transparent Setup, select L2 Transparent.
- In the Port Redirects table, enter port redirects for the web traffic coming in under different network protocols, for example, HTTP or FTP, to be filtered on Web Gateway.
- Select File Editor, and on the appliances tree, select this appliance. Open the mwg system file for editing and append the following lines:
#Changes for L2 Transparent echo 1 > /proc/sys/net/ipv4/ip_forward masq_rule="POSTROUTING -o eth0 -j MASQUERADE" iptables -t nat -S | grep "$masq_rule" if [ $? != 0 ] then iptables -t nat -A $masq_rule fi dhclient -r eth0 dhclient eth0
These lines must also be appended for any additional inbound or outbound network interface, for example, if there is also an outbound eth2 interface on Web Gateway.
- If you are setting up a dual-arm configuration, complete these additional substeps:
- Select Appliances and on the appliances tree, select this appliance.
- Select Network Interfaces and under Enable these network interfaces, select eth1.
- Click Save Changes.
- Restart the appliance to let the changes take effect.
You have now set up a virtual Web Gateway appliance in L2 Transparent mode on Azure.
After associating the routing table with the ClientNetwork subnet, Internet connectivity to other systems in this subnet is lost. To restore it, you can add another entry to this table with the SSH or RDP public IP address of the subnet and an Internet gateway as next-hop proxy type.
Depending on how Web Gateway is configured, more steps can be required to set up a virtual Web Gateway appliance in this mode. For example, if ports for network protection are assigned, they must be accounted for in a network security group.