When configuring a Secure Web Gateway in Transparent Bridge mode, you can fine-tune the configuration in addition to completing the basic steps. The fine-tuning includes the following:
Configuring port redirects
Setting up more than one appliance
- Handling of the Spanning Tree Protocol (STP)
For more information about this mode and how to configure it, see About the Transparent Bridge Mode and Configure the Transparent Bridge Mode.
Configuring Port Redirects
Secure Web Gateway is by default configured to scan and filter client requests for access to the web arriving on ports 80 and 443. All requests arriving on other ports are passed on to the web unfiltered unless you specify additional ports.
You can configure port redirects as exceptions for requests coming in from a particular client IP address or going to a particular destination IP address. These exceptions are also passed on to the web unfiltered.
For more information, see Configure Port Redirects to Pass On Request Unfiltered.
Setting up More Than One Appliance
When configuring Secure Web Gateway in Transparent Bridge mode, we recommend setting up more than one appliance in this mode.
When a Secure Web Gateway appliance is configured in this mode, it is implemented in an in-line position within your network. This means that all traffic is physically passing through the appliance, even if no ports are configured to receive the traffic and enable its filtering. Setting up only one appliance would therefore make it a single point of failure.
If you set up at least one other appliance, it can serve as a failover device. Another appliance will, however, not only perform failover functions, but also load balancing and processing web traffic.
Avoiding a Port Shutdown under STP
When a Secure Web Gateway appliance in your network is directly connected to switches operating under the Spanning Tree Protocol (STP), ports needed for load balancing communication might be shut down under this protocol.
On most network switches, STP is used to avoid loops and ensure a single path of communication, shutting down redundant ports that cause such loops.
The protocol is also used, however, when two or more appliances are configured in Transparent Bridge mode. One of them then takes the director role to direct the web traffic that occurs to the other appliances for processing. STP communicates information about this role and the load balancing measures between the appliances.
If network switches with STP are directly connected to the appliances, it is highly likely that ports needed for this load balancing communication are shut down.
You can proceed in one of the following ways to avoid a shutdown:
Disable STP on every switch that is directly connected to an appliance.
Do not use this method, however, if other components of your network rely on these switches and STP.
Install a second switch without STP between every appliance and switch with STP that the appliance would be connected to.
Setting up your network in this way ensures that load balancing on the appliances and other network components that rely on switches with STP are not impacted.