Inline + proxy mode and blocking https
Created: 16 Nov 2011 | 3 comments
I am doing a POC for customer, please advise on the following
1) If I were to block https website eg https://facebook.com , then I would need to configure inline + proxy mode. Please advise.
2) For inline + proxy mode ,I understand that we need 1 Ip address for LAN 1 and another IP address for LAN 2 and both IP addresses must be on different subnet. Can someone confirm this ?
3) If I use proxy mode only , ie the SWG act as proxy ( ie 1 leg to LAN ) and configure users browser proxy setting pointing to SWG appliance, can the SWG block https website eg https://facebook.com
Thanks.
Discussion Filed Under:
Comments
Hi, Some answers here 1) In
Hi,
Some answers here
1) In order to block HTTPS traffic you need the proxy, so proxy only OR inline + proxy modes are OK. Is the proxy feature that will allow SWG to block HTTPS.
2) Any configuration that involves the proxy, so proxy only OR inline + proxy requires separate MGMT and Inline networks, so 2 IP addresses in different subnets.
3) Yes, in proxy only mode, you can block HTTPS websites.
Make sure the browser is properly configured and always check Custom Reports in SWG to troubleshoot if the result is unexpected. Try to always use either "monitor" or "block" actions. "Allow" does not produce entries on the custom reports.
Also, have a look at this article as it contains some useful tips for SWG deployments.
SWG : Best Practices - New Deployments
HTH,
Federico
Thanks. For inline+proxy
Thanks.
For inline+proxy mode
Regards
Hi, - the browsers must use
Hi,
- the browsers must use the SWG LAN/WAN inline IP address as the proxy address.
- the external firewall must allow traffic from that IP address. The browsers will connect to the proxy IP address and the proxy will re-generate new connections to the inteded URLs on the internet.
Regards,
Federico
Would you like to reply?
Login or Register to post your comment.