Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Outbound Source IP Addresses

  1. Last updated
  2. Save as PDF

Using different source IP addresses for outbound connections from Web Gateway to web servers or next-hop proxies can lead to connection problems. To avoid these problems, you can replace these addresses with a single address.

Different source IP addresses might be used, for example, when load balancing is configured for multiple Web Gateway appliances. Load balancing can lead to connection problems on the side of the involved web servers or next-hop proxies. Problems can, for example, arise when source IP addresses change during a session period.

To avoid these problems, you can configure a rule that replaces changing source IP addresses with a single address.

This single address does not have to be fixed. You can set up a list of IP addresses and let the rule select an address in a particular position on the list. The address that replaces other addresses then varies according to what you have entered in that position.

Network setups for controlling outbound source IP addresses

Controlling outbound source IP addresses is supported for network setups with:

  • IPv4 or IPv6
  • HTTP, HTTPS, FTP, or SOCKS proxy

NOTE: Instant messaging is not supported.

  • Proxy (with optional WCCP) mode

The transparent router mode is supported if the source IP addresses that are used for replacing other addresses are configured as aliases.

The Proxy HA and transparent bridge modes are not supported.

Periodic rule engine triggering is also possible when control of outbound source IP addresses is implemented.

Sample rule for controlling outbound source IP addresses

A rule that replaces outbound source IP addresses by a single address, for example, when connections to next-hop proxies are set up, could look as follows:

Name
Use proxy depending on the destination
Criteria                                                     Action        Events
URL.Destination.IP is in range list Next Hop Proxy IP        –> Continue   Enable Next Hop Proxy<Internal Proxy>
Range List                                                                 Enable Outbound Source IP
OR                                                                         Override(Proxy.OutboundIP(2))
URL.Destination.IP is in list Next Hop Proxy IP List

The criteria of the rule specifies when a next-hop proxy is used. The first of the two events sets up a connection to a next-hop proxy.

The second event, Enable Outbound Source IP Override, is for controlling outbound source IP addresses. It replaces ("overrides") any source IP address that is submitted with a request by an IP address that is taken from a list.

An event parameter, which is itself a property, specifies the IP address. The name of the property is Proxy.OutboundIP. Its value is the IP address in the list position determined by the property parameter.

List of IP addresses for controlling outbound source IP addresses

The list of IP addresses that you can use to replace outbound source IP addresses is part of the Proxies settings. You can find it there under Advanced Outgoing Connection Settings. Its name is Outbound Source IP list.

The following applies regarding the position of an IP address in the list:

  • The list index starts from 0. If you specify, for example, 2, as the parameter of the Proxy.OutboundIP property to determine a position, the third IP address on the list is selected.
  • If you specify a parameter value that is higher than the number of list entries, the position is determined by calculating <parameter-value> modulo <number-of-list-entries>.

For example, if you specify 5 for a list that has only three list entries, the result of the modulo calculation is 2. The third IP address on the list is then selected.

Network routing and IP address spoofing

The IP addresses that are inserted into data packets by the Enable Outbound Source IP Override event are non-local source IP addresses. You must therefore configure network routing in a suitable way.

Data packets that are sent back from a web server to a client must be routed to the proxy on Web Gateway. You can, for example, use static routes to route the data packets.

When the Enable Outbound Source IP Override event is triggered and you have IP address spoofing enabled, the event also overrides this setting.

Logging the use of outbound IP source addresses

Several properties are available for logging data about outbound connections, including the source IP address and port that Web Gateway uses when connecting to web servers or next-hop proxies.

These properties are set to particular values, regardless of whether you have configured a single source IP address, using the Enable Outbound Source IP Override event. But you can also use them in this case.

  • Proxy.Outbound.IP — Stores the source IP address that Web Gateway uses when connecting to web servers and next-hop proxies.

NOTE: Do not confuse this property with Proxy.OutboundIP, which has no dot before IP and is used together with the

Enable Outbound Source IP Override event to select a single source IP address from a list.

  • Proxy.Outbound.Port — Stores the source port that is used by Web Gateway when connecting to web servers or next-hop proxies.
  • Proxy.Outbound.IPList — Stores the list of source IP addresses that Web Gateway can select an address from when connecting to web servers and next-hop proxies.

The list is configured as part of the Proxies settings under Advanced Outgoing Connection Settings. Its name is Outbound Source IP list. When a single source IP address for outbound connections is configured, it is taken from this list.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.