Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Transparent Proxy Settings (for use with WCCP)

Settings for the Transparent Proxy mode when using WCCP services to redirect web traffic

Option Definition

Supported client redirection methods

Lets you select a method for redirecting web traffic.

  • WCCP — When selected, HTTP client requests sent to web servers under IPv4 and IPv6 are intercepted by an additional network device and redirected to the appliance using the Web Cache Communication Protocol (WCCP).

    The clients are not aware of the redirection, it remains transparent for them.

    In the same way as for client requests, responses from web servers are directed back to the appliance.

    When using the WCCP redirection method, you need to configure one or more WCCP services on the appliance to let them perform the redirection.

    You also need to configure the network device that intercepts the client requests and server responses. This device can be configured as a router or switch with routing functions.

    After selecting this option, the WCCP Services inline list appears for configuring and adding WCCP services.

    NOTE: After selecting this option, the WCCP Services list appears below where you can configure and add WCCP services.
     
  • L2 transparent — When selected, client requests sent to a web server under IPv4 and IPv6 are intercepted by an additional network device and directed to the appliance using the Layer 2 redirection method.

    Under this method, client requests are accepted on the appliance even if their destination IP addresses are not addresses of the appliance. The redirection is transparent to the clients.

    You need to enter the original ports for those client requests that are to be intercepted and redirected in a list on the appliance together with the ports that these requests are redirected to.

    The additional network device must be configured accordingly.

    When this option is selected, requests can not be transmitted using a connection in active FTP mode. Only the passive FTP mode is then available.

    NOTE: After selecting this option, the Port Redirects list appears below where you can configure and add port for redirecting web traffic.

 

The following table describes the fields of an entry in the list of WCCP services used for redirecting web traffic.

Option Definition

Service ID

Identifies a service that redirects web traffic to an appliance under WCCP.

Service priority

Sets the priority for a WCCP service.

When web traffic is redirected to Web Gateway under WCCP, a WCCP service handles the redirection. An incoming data packet is then assigned to the service with the highest priority.

The priority value for a particular WCCP service is communicated by Web Gateway along with other information in the heartbeat messages that it sends to the WCCP router or switch in short intervals.

Priority range: 0 - 255

Default: 0

WCCP router definition

Specifies the Multicast IP address and DNS name of a router (or switch with routing functions) that uses a WCCP service to direct web traffic to an appliance.

You can configure multiple routers here, separating entries by commas.

IP protocol version preference for name resolution

Selects the IP version that is preferred when resolving a host name to an IP address.

The host name is the name of the host system that a request with data packets was sent from.

The data packets are redirected using a WCCP router that Web Gateway registers with under the IP address that the host name is resolved to.

  • IPv4 — When selected, IPv4 is the preferred protocol version.
  • IPv6 — When selected, IPv6 is the preferred protocol version.
  • Use other protocol version as fallback — When selected, the host name is resolved using the other protocol version if the preferred version is not available.

For example, if a router supports only IPv4 addresses, the host name is resolved to an IPv4 address even if you selected IPv6 as the preferred version.

Ports to be redirected

Lists the ports, for example, on web servers, that data packets must have in their address information to be redirected.

You can specify up to eight port numbers here, separated by commas.

Ports to be redirected are source ports

Specifies whether the ports that are to be redirected are source ports.

When configuring a WCCP service, you need to select this option if the service is used to redirect responses from web servers back to the appliance.

Proxy listener IP address

Specifies the IP address of an appliance when serving client requests.

Proxy listener port

Specifies a port for listening to client requests.

The default port number is 9090.

MD5 authentication key

Sets a password used under the MD5 algorithm for signing and verifying control data packets.

The Set button opens a window for setting the password.

The password can have up to eight characters.

Assignment method

This main item does not appear in the list, but is visible in the Add and Edit windows. The following two elements are related to it, specifying the assignment method.

  • Assignment by mask — When selected, masking of the source or destination IP addresses is used for load distribution.
  • Assignment by hash — When selected, a hash algorithm is used for load distribution.

Input for load distribution

This main item does not appear in the list, but is visible in the Add and Edit windows. The following elements are related to it, specifying what is used in a data packet as the criteria for load distribution

Different elements are provided, depending on whether you have selected assignment by mask or hash.

When running multiple appliances, load distribution can be configured for the proxies on them. Data packets can be distributed to these proxies based on their source or destination IP addresses and port numbers.

When source or destination IP addresses are used for load distribution, they can be masked or a hash algorithm can be applied to them, see the options under Assignment method.

When source or destination ports are used, only the hash algorithm method can be selected.

Load distribution elements for assignment by mask:

  • Source IP mask — Specifies the mask for a source IP address.
    The default mask value is 0x15.
  • Destination IP mask — Specifies the mask for a destination IP address.
    The default mask value is 0x15.

The maximum mask length is 4 digits, for example, 0xa000.

For both masks together, 6 bit can be set as a maximum.

If a mask is set to 0x0, it does not influence load distribution.

So, if you want to use, for example, only source IP addresses for load distribution, you need to set the mask for destination IP addresses to this value.

Load distribution elements for assignment by hash:

  • Source IP — When selected, load distribution is based on source IP addresses.
  • Destination IP — When selected, load distribution is based on destination IP addresses.
  • Source port — When selected, load distribution is based on source port numbers.
  • Destination port — When selected, load distribution is based on destination port numbers.

When configuring one WCCP service for handling client requests and another for handling web server responses, you need to select Source IP and Destination IP in a "crosswise" corresponding manner.

This means that if you select Source IP for the client requests service, you must select Destination IP for the web server responses service. If you select Source IP for the web server responses service, you must select Destination IP for the client requests service, and so on.

The same applies when selecting Source port and Destination port.

Assignment weight

Sets a value to determine how much load is assigned to a proxy.

Use this value to assign more load to a proxy on an appliance that has more CPU capacity. 0 means no load is distributed to a proxy.

Forwarding weight

This main item does not appear in the list, but is visible in the Add and Edit windows. The following two elements are related to it, specifying the forwarding method.

  • GRE-encapsulated — When selected, data packets are encapsulated by the router before being redirected.
    When this element is selected, the following two elements are also shown:
    • GRE-redirect target — Lets you select a network interface on an appliance.
      All data packets that were received on this network interface are redirected to the listener port that is configured for this WCCP service.
    • Redirect for all interfaces — When selected, data packets are redirected to the same listener port regardless of the network interface that they were received on.
  • L2-rewrite to local NIC — When selected, data packets are redirected to the appliance by replacing the MAC address of the next device on the route to the web server with that of the appliance.
    When this element is selected, the following element is also shown:
    • L2-redirect target — Lets you select a network interface on an appliance.
      All data packets that were received on this network interface are redirected to the listener port that is configured for this WCCP service.

Magic (Mask assignment)

Lets you set an unknown field in the mask that an appliance sends to the router.

This setting is needed for ensuring compatibility with different versions of the vendor's operating system, which is used for the router.

NOTE: This element is only provided if Assignment by mask was selected as the assignment method.

Comment

Provides a plain-text comment on a WCCP service.

  • Was this article helpful?