Web Security Service

English

Configure Symantec Appliance Proxy Forwarding

With this
Web Security Service
 connectivity method, you configure a Symantec Blue Coat
ProxySG
 or ASG appliance to forward non-internal web traffic to
WSS
 for security and acceptable web-use policy checks.

Technical Requirements

This section provides a high-level set of technical requirements:
  • Deployed Symantec Blue Coat
    ProxySG
     or ASG appliance:
    • Minimum version: SGOS 6.7.x.
    • The gateway firewall must allow ports
      8080
      ,
      8443
      , and
      8084
       (if configured). See Required Ports and Protocols.
    • SGOS 6+ required to use the non-standard
      8084
       port.
    • Know the egress IP address.
  • Identity/Authentication:
    • WSS
       Web Security—The
      Auth Connector
       is not required, but necessary in most deployments. Without it, you cannot define pre-traffic
      WSS
       policies against users or groups.
    • WSS
       CASB Gateway—If your
      WSS
       account is provisioned for CASB Gateway (CASB-only mode), the
      Auth Connector
       is
      not
       required.
      WSS
       does not require users or groups for policies. The on-premises ProxySG appliance provides the user/group information to CloudSOC. CASB Gateway uses SpanVA to map users to groups.
  • To configure an existing gateway
    ProxySG
     or ASG appliance to forward HTTP/HTTPS traffic from downstream devices/clients up to
    WSS
    , you must create forwarding hosts that carry HTTP, HTTPS, and SSL traffic. The forwarding policy that is installed on the appliance directs traffic to the correct forwarding host comprised of the following:
    • Required: HTTP—Traffic forwarded on port
      8443
       (encrypted).
    • Required: Unintercepted SSL—Traffic forwarded on port
      8080
      .
    • Optional: Intercepted SSL—A gateway appliance running SGOS 6.5.x or later supports the following. A local proxy performs SSL interception and forwards the user authentication information (in addition to traffic) to
      WSS
       on port
      8084
      . If you configure the appliance to intercept some SSL traffic (specific categories), you must create this service.
  • Install the
    WSS
     root certificate and add it to the browser-trusted list (see the prerequisite procedure).
  • The best practice is 1 public IP address for every 5000 users. For example, if you have 10,000 on-premises users whose connections must egress to
    WSS
    , use two gateway proxies.
  • Enable port randomization and ensure that Reflect Client IP is disabled (see
    Step 7
    ).
  • Distribute the root cert to endpoints.

Best Practice—Authentication

Authentication is
not
 combined. Therefore, if local authentication fails and the information is not forwarded, the
WSS
 authentication process also fails. The best practice is to use two
ProxySG
/ASG appliances to eliminate local authentication single point of failure.

Prerequisite—Install the Root Certificate

Install the
WSS
 root certificate on the appliance and add it to the browser-trusted list. This is required if the
ProxySG
 appliance is forwarding any SSL traffic regardless of where the termination occurs.
Step 1—Obtain the
WSS
 Certificate
  1. In the
    WSS
     portal, navigate to
    Policy > TLS/SSL Interception
    .
  2. Expand the
    TLS/SSL Interception Certificate
     area.
  3. Click
    Download
    .
  4. Click
    Save File
     and save the certificate to an internally accessible location.
  5. Open the file with a text application (notepad, for example). Copy the contents to the clipboard.
Step 2—Upload the Certificate to the
ProxySG
  Appliance
  1. In the
    ProxySG
     Management Console, select
    Configuration > SSL > CA Certificates > CA Certificates
    .
  2. Click
    Import
    .
    1. Name
       the certificate. If you are replacing an existing certificate, enter a different name.
    2. Paste
       the root certificate from the clipboard into the
      CA Certificate PEM
       area.
    3. Click
      OK
      .
  3. Click the
    CA Certificate Lists
     tab.
  4. Select
    browser-trusted
    .
    1. Click
      Edit
      .
    2. Locate and select the
      WSS
        root certificate.
    3. Click
      Add
       to move it to the browser-trusted field.
    4. If you are replacing the certificate,
      Remove
       the old one from the list.
    5. Click
      OK
      .
  5. Click
    Apply
     to enable the changes.
If you require more information about appliance certificate management, consult the following.

Procedure—Configure the Appliance

The following task demonstrates configuration with the
ProxySG
 appliance running SGOS 6.8.x.
If you create hosts with the example names in this procedure, you do not need to edit the installed forwarding policy.
Prerequisite—Verify that proper authentication is configured on the
ProxySG
 appliance.
To display user names in reports and make user names and groups available for custom policy, you must configure
ProxySG
 appliance authentication. For more information about Proxy Edition authentication, refer to the document for your SGOS
Version
 (drop-down):
For MACH 5 Edition
ProxySG
 appliances, authentication configuration requires adding more authentication Content Policy Language (CPL) to the Local policy file. See Reference: Additional Authentication CPL for SGOS MACH 5 Proxy Forwarding.
Step 1—Create a Location in the Portal
Create a fixed
Location
 in the
WSS
 portal. A Location instructs
WSS
 to accept incoming connections from the firewall device IP address.
  1. In the
    WSS
     portal, navigate to
    Connectivity > Locations
    .
  2. Click
    Add Location
    .
  3. Complete the
    Location
     dialog.
    Proxy Forwarding Location
    1. Name
       the location. For example, enter a location designation or employee group identification name.
    2. Select
      Proxy Forwarding
       as the
      Access Method
      .
    3. Enter the gateway
      IP/Subnet
       that you defined in the
      ProxySG
       forwarding host configuration dialog or ISA/TWG policy.
  4. Enter resource and location information.
    Firewall/VPN Location Information
    1. Select the
      Estimated User
       range that sends web requests through this gateway interface.
      Symantec
       uses this information to ensure proper resources are allocated.
    2. Select a
      Country
       and
      Time Zone
      .
    3. Fill out location information and enter comments (optional).
  5. Click
    Save
    .
Step 2—Verify that the External/Explicit HTTP proxy services are enabled and set the HTTPS proxy service to TCP Tunnel.
To avoid connection issues, the
External HTTP
 or
Explicit HTTP
 proxy services (configured together for ports
80
 and
8080
) must be enabled and the
HTTPS
 proxy service configured use
TCP Tunnel
 as the
Proxy Setting
.
  1. In the
    ProxySG
     appliance Management Console, select
    Configuration > Services > Proxy Services
    .
  2. Verify that either the
    Explicit HTTP
     or the
    External HTTP
     service is enabled (set to
    Intercept
    ). The selected service depends on your gateway deployment method.
    Proxy Forward Explicit Services
  3. Configure the
    HTTPS
     service to use
    TCP_Tunnel
    .
    1. Select the
      Explicit HTTPS
       or
      External HTTPS
       service and click
      Edit Service
      .
      Proxy Forwarding HTTPS service
    2. From the
      Proxy
       drop-down list, select
      TCP Tunnel
      .
    3. Select
      Detect Protocol
      ; accept the Detect Protocol warning.
    4. Clear the
      Enable ADN
       option.
    5. Click
      OK
      .
    6. In the
      Listeners
       area, set the
      Action
       to
      Intercept
      .
  4. Click
    Apply
    .
Step 3—Create a server forwarding host for HTTPS (Port 8443).
Forwards HTTP traffic—with an encrypted connection—to
WSS
.
  1. In the Management Console, select the
    Configuration > Forwarding > Forwarding Hosts > Forwarding Hosts
     tab.
  2. Click
    New
    . The Management Console displays the Add Forwarding Hosts dialog.
  3. Create the
    WSS
     host.
    Proxy Forwarding SG Host Secure
    1. Enter an
      Alias
       name for the host. For example:
      WSSSecure8443
      .
    2. Enter the
      WSS
      Host
       name:
      proxy.threatpulse.net
       (unless you were given another service point name).
    3. Select
      Server
      .
    4. Clear the
      Ports: HTTP
       option.
    5. Enter
      8443
       in the
      Ports: HTTPS
       field.
    6. Host Affinity Methods
      HTTP
      : Select
      Client IP Address
      .
    7. Host Affinity Methods
      SSL
      : Select
      Client IP Address
      .
    8. Click
      OK
       to close the dialog.
  4. Click
    Apply
    .
Step 4—Create a Proxy Forwarding Host for Unintercepted SSL (Port 8080)
This host forwards HTTPS, SSL, and TCP traffic to
WSS
. Installed policy directs the traffic over port
8080
 or
443
. If configured,
WSS
 intercepts SSL for policy inspection.
  1. Remaining on the
    Forwarding Hosts
     tab, click
    New
    . The Management Console displays the Add Forwarding Hosts dialog.
  2. Create the
    WSS
     host.
    Proxy Forwarding SG Host
    1. Enter an
      Alias
       name for the host. For example:
      WSSHTTP8080
      .
    2. Enter the
      WSS
      Host
       name:
      proxy.threatpulse.net
       (unless you were given another service point name).
    3. Select
      Proxy
      .
    4. Enter
      8080
       in the
      Ports: HTTP
       field.
    5. Click
      OK
       to close the dialog.
  3. Click
    Apply
    .
Step 5—(Conditional Option) Create a Proxy Forwarding host for locally-intercepted SSL traffic (port 8084).
If your gateway
ProxySG
 appliance is running SGOS 6.5.x or later and you have configured it to intercept some SSL traffic for local inspection and user authentication forwarding, configure a forwarding host for port
8084
.
  1. Remaining on the
    Forwarding Hosts
     tab, click
    New
    . The Management Console displays the Add Forwarding Hosts dialog.
  2. Create the
    WSS
     host.
    Add Proxy Forward Host 8084
    1. Enter an
      Alias
       name the host. For example:
      WSSInterceptedHTTPS8084
      .
    2. Enter the
      WSS
      Host
       name:
      proxy.threatpulse.net
       (unless you were given another service point name).
    3. Select
      Proxy
      .
    4. Enter
      8084
       in the
      Ports: HTTP
       field.
    5. Host Affinity Methods
      HTTP
      : Select
      Client IP Address
      .
    6. Click
      OK
       to close the dialog.
  3. Click
    Apply
    .
Step 6—On the gateway
ProxySG
 appliance, define policy that sends traffic to the forwarding host.
This is a critical step that routes the web traffic to
WSS
.
  1. In the Management Console, select the
    Configuration > Policy > Policy Files
     tab.
  2. Install the forwarding policy:
    1. In the
      Install Policy
       area, select
      Text Editor
       from the
      Install Forward File From
       drop-down list.
    2. Click
      Install
      . The interface displays the Edit and Install the Forward File dialog.
    3. Enter the forwarding policy to the
      end
       of any existing forwarding policy. To copy and paste a template created by
      Symantec
      , see Reference: Proxy Forwarding Policy.
    4. Click
      Install
       to close the dialog.
  3. This step is required if these groups are not currently referenced in the gateway proxy policies or if you want the ability to define
    WSS
     policy against these groups.
    Define policy that lists the groups of interest that are allowed access to
    WSS
    . Add this policy to the Forward file or the Central file (if you use one for easier distribution).
    1. In the
      Install Policy
       area, select
      Text Editor
       from the
      Install Forward File From
       or
      Install Central File From
       drop-down list.
    2. Click
      Install
      ; the interface displays the Edit and Install the File dialog.
    3. Paste the following policy to the end of your existing central policy. The policy defines which defines the groups of interest that are subject to
      WSS
       policy and are visible in reports:
      define condition threatpulse_groups
   group = (
      group_name
      , 
      group_name
      , 
      group_name
      )
end
    4. Click
      Install
       to close the dialog.
  4. Click
    Apply
    .
Step 7—Randomize Ports and Disable Reflect Client IP.
Enable port randomization and allow for the full TCP-IP port range.
From the
ProxySG
 appliance CLI (
enable > configure
 mode), enter the following commands:
#
config term

#(config)
tcp-ip inet-lowport 1024

#(config)
tcp-ip tcp-randomize-port enable

#(config)
exit
Do not use the
Reflect Client IP
 option because it disables port randomization and which the use of another port-mapping algorithm.
  • ProxySG
     Management Console: Select the
    Configuration > Proxy Settings > General > General
     tab and clear the
    Reflect client’s source IP when connecting to servers
     option.
  • ProxySG
     CLI (enable > configure mode): 
    SGOS#(config) 
    general
    
SGOS#(config general) 
    reflect-client-ip disable
The Reflect Client IP option is also available in policy. Verify that you do not have any policy actions that enable Reflect Client IP.
Troubleshooting
In a deployment where the
ProxySG
 appliance forwards traffic to
WSS
 and a large number of users use the service, latency increases and page-loading timeouts might occur because the pool of TCP connections is exhausted.

Next Step