About Transparent Proxy Settings

Transparent Proxy

Settings for configuring the explicit proxy mode with transparent features.

Option	Definition
Supported client redirection methods	Provides methods for intercepting web traffic and redirecting it to an appliance. WCCP — When selected, HTTP client requests sent to web servers under IPv4 and IPv6 are intercepted by an additional network device and redirected to the appliance using the Web Cache Communication Protocol (WCCP). The clients are not aware of the redirection, it remains transparent for them. In the same way as for client requests, responses from web servers are directed back to the appliance. When using the WCCP redirection method, you need to configure one or more WCCP services on the appliance to let them perform the redirection. You also need to configure the network device that intercepts the client requests and server responses. This device can be configured as a router or switch with routing functions. After selecting this option, the WCCP Services inline list appears for configuring and adding WCCP services. L2 transparent — When selected, client requests sent to a web server under IPv4 and IPv6 are intercepted by an additional network device and directed to the appliance using the Layer 2 redirection method. Under this method, client requests are accepted on the appliance even if their destination IP addresses are not addresses of the appliance. The redirection is transparent to the clients. You need to enter the original ports for those client requests that are to be intercepted and redirected in a list on the appliance together with the ports that these requests are redirected to. The additional network device must be configured accordingly. When this option is selected, requests can not be transmitted using a connection in active FTP mode. Only the passive FTP mode is then available. After selecting this option, the Port Redirects inline list appears for entering ports.

Option

Definition

Supported client redirection methods

Provides methods for intercepting web traffic and redirecting it to an appliance.

WCCP — When selected, HTTP client requests sent to web servers under IPv4 and IPv6 are intercepted by an additional network device and redirected to the appliance using the Web Cache Communication Protocol (WCCP).

The clients are not aware of the redirection, it remains transparent for them.

In the same way as for client requests, responses from web servers are directed back to the appliance.

When using the WCCP redirection method, you need to configure one or more WCCP services on the appliance to let them perform the redirection.

You also need to configure the network device that intercepts the client requests and server responses. This device can be configured as a router or switch with routing functions.

After selecting this option, the WCCP Services inline list appears for configuring and adding WCCP services.
L2 transparent — When selected, client requests sent to a web server under IPv4 and IPv6 are intercepted by an additional network device and directed to the appliance using the Layer 2 redirection method.

Under this method, client requests are accepted on the appliance even if their destination IP addresses are not addresses of the appliance. The redirection is transparent to the clients.

You need to enter the original ports for those client requests that are to be intercepted and redirected in a list on the appliance together with the ports that these requests are redirected to.

The additional network device must be configured accordingly.

When this option is selected, requests can not be transmitted using a connection in active FTP mode. Only the passive FTP mode is then available.

After selecting this option, the Port Redirects inline list appears for entering ports.

The following two tables describe list entries in the lists of WCCP services and port redirects.

Advanced Outgoing Connection Settings

Settings specifying methods for handling information contained in client requests sent to web servers that are requirements for the network environment of the appliance

Option	Definition
IP spoofing (HTTP, HTTPS, FTP)	When selected, the appliance keeps the client IP address that is contained in a client request as the source address and uses it in communication with the requested web server under various protocols. When WCCP services are used for intercepting web traffic and directing it to the appliance, you need to configure two services for each port on the appliance that listens to client requests: one for the requests that come in from the clients, and one for responses to these requests that are sent by the web servers. When this option is not selected, the appliance chooses a source port and uses it in this communication. IP spoofing for explicit proxy connections — When selected, client addresses are kept in explicit proxy mode, in which web traffic is not intercepted by an additional device. Use same source port as client for IP spoofing — When selected, client source ports are kept and used in addition to client source addresses for communication with web servers. When this option is not selected, the appliance chooses a random source port and uses it in this communication.
HTTP: Host header has priority over original destination address (transparent proxy)	When selected, the destination address that is provided in the HOST header part of a client request under HTTP is used for communication with the requested web server. In a transparent proxy configuration, communication with a web server could also use the destination address that is specified under TCP for the connection that serves to transmit a client request. This address is also known as the original destination address. Both methods of communication are available to a transparent proxy on an appliance that intercepts client requests or to a WCCP service that intercepts requests and redirects them to an appliance. Using the HOST header destination address is the preferred method, however, for some configurations it can be necessary to deselect this option and use the original destination address for communication with a web server. If web traffic is processed on multiple appliances with transparent proxies running on them and client requests are routed to them according to destination addresses, it must be ensured that the proxies use the original destination addresses when connecting to web servers. This applies also if a WCCP service intercepts client requests and redirects them to multiple appliances, using destination addresses for load distribution.

Option

Definition

IP spoofing (HTTP, HTTPS, FTP)

When selected, the appliance keeps the client IP address that is contained in a client request as the source address and uses it in communication with the requested web server under various protocols.

When WCCP services are used for intercepting web traffic and directing it to the appliance, you need to configure two services for each port on the appliance that listens to client requests: one for the requests that come in from the clients, and one for responses to these requests that are sent by the web servers.

When this option is not selected, the appliance chooses a source port and uses it in this communication.

IP spoofing for explicit proxy connections — When selected, client addresses are kept in explicit proxy mode, in which web traffic is not intercepted by an additional device.
Use same source port as client for IP spoofing — When selected, client source ports are kept and used in addition to client source addresses for communication with web servers.

When this option is not selected, the appliance chooses a random source port and uses it in this communication.

HTTP: Host header has priority over original destination address (transparent proxy)

When selected, the destination address that is provided in the HOST header part of a client request under HTTP is used for communication with the requested web server.

In a transparent proxy configuration, communication with a web server could also use the destination address that is specified under TCP for the connection that serves to transmit a client request. This address is also known as the original destination address.

Both methods of communication are available to a transparent proxy on an appliance that intercepts client requests or to a WCCP service that intercepts requests and redirects them to an appliance.

Using the HOST header destination address is the preferred method, however, for some configurations it can be necessary to deselect this option and use the original destination address for communication with a web server.

If web traffic is processed on multiple appliances with transparent proxies running on them and client requests are routed to them according to destination addresses, it must be ensured that the proxies use the original destination addresses when connecting to web servers.
This applies also if a WCCP service intercepts client requests and redirects them to multiple appliances, using destination addresses for load distribution.

Sample WCCP service settings for IP spoofing

Sample settings for configuring WCCP services with IP spoofing

NOTE: Configure these settings only if you want to perform IP spoofing. It is usually not required that you configure two services for redirecting web traffic to the appliance under WCCP.

You can use IP spoofing in a configuration with WCCP services that intercept web traffic and direct it to the appliance. In this case, you need to configure two services for all ports on the appliance that listen.

One of these services is for the requests that come in from the clients and another one for the responses to these requests that are sent by the web servers.

The following table shows sample parameter values for these services.

Option	Service for client requests	Service for web server responses
Service ID	51	52
Service priority	0	0
WCCP router definition	10.150.107.254	10.150.107.254
Ports to be redirected	80, 443	80, 443
Ports to be redirected are source ports	fasle	true
Proxy listener IP address	10.150.107.251	10.150.107.251
Proxy listener port	9090	9090
MD5 authentication key	* * * * *	* * * * *
Input for load distribution	This main item does not appear in the settings list, but is visible in the Add and Edit windows. The following four elements are related to it
Source IP	true	false
Destination IP	false	true
Source port	true	false
Destination port	false	true
Assignment method	This main item does not appear in the settings list, but is visible in the Add and Edit windows. The following four elements are related to it
Assignment by mask	true	true
Assignment by hash	false	false
Assignment weight	100	100
Forwarding method	This main item does not appear in the settings list, but is visible in the Add and Edit windows. The GRE-encapsulated and L2-rewrite to local NIC elements are related to it
GRE-encapsulated	false	false
L2-rewrite to local NIC	true	true
L2-redirect target	eth1	eth1
Magic (Mask assignment)	-1	-1
Comment