Virtual Secure Web Gateway

hi guys,

we have a symantec web gateway for content filtering.  we  are trying to set it up to be used as proxy also.  there are not too many tutorials on the internet.   we are having problem to set it up.  can anybody help please

thanks

Can you give some detail on the problems you are having? Is it a physical or virtual appliance you are setting up?  Have you read through the Administration Guide and do you have any questions based on what you've read?  It's just hard to help when you haven't really given any details as to what your problem is.

Cheers,

Kevin

I have attached the product manual which should help you with the process of configuring and using the Symantec Web Gateway.

If you come up with any specific questions please feel free to post them.

Attachment(s)

Symantec_Web_Gateway_5.0_Implementation_Guide_EN_7.pdf   2.55 MB 1 version

Thank you very much for your reply.

i have gone through the administration guide but it is not of much help.

in fact my problem is that i have followed the instruction manual, but unable to set up the proxy.

It is a physical web gateway. 

i am attaching the topology of my network and the position of the web gateway.

thank a lot for your support

Attachment(s)

Network topology.pdf   75 KB 1 version

thank you very much.

Please find attached my network topology.  the documentation is not of great help

Attachment(s)

Network topology_0.pdf   75 KB 1 version

Are you having a specific problem? So far you havent asked for anything other than help, but without specific questions we won't be able to provide any guidance.

in fact we have tried to follow the documentation but was unable to make it work.

what must be the ip the management port and the lan port.  i have tried to put some ip but my content filtering was not working and had to revert back.

if my network address is 192.9.200.0/24 what must be the ip of my lan port and management port.

Are you using an applaince or a virtual edition of the SWG?

If you can access the console of the SWG. You can find the Management port IP via the menu option 3 - Display Current IP. So long as the system you are working on is on the same network you should be able to access the SWG UI via that IP address.

...as it says in the SWG documentation, in order to enable proxy mode, you must first enable the option under Configuration -> Network to 'Separate Inline and Management NICs".  A further requirement of this is that the two interfaces cannot reside in the same subnet, so you'll have to do some fiddling to ensure both are accessible...

Once these have been separated, you'd then need to change the operation mode to Inline+Proxy, as your diagram suggest it is currently implemeted Inline.

Now that the SWG is in proxy mode, additional options are now available under the Configuration -> Proxy tab for controlling the proxy options.  Once setup, it should be a simple matter of pointing a browser at the SWG's LAN interface IP address, to start utilising the proxy.

This is a simplified overview of how to set up proxy mode.  More info is in the documentation 

are you saying that my lan port should be on the network address 192.9.220.0/24 and management port on a different subnet?

...is addressible by the users' browsers, and can route out to the internet, then yeah.

This is also covered in the manual.

hi

i have completed the installation .  when setting up my browser for using proxy, i am getting the messages

The requested URL could not be retrieved

While trying to retrieve the URL: http://www.bbc.co.uk/news/world-europe-16265665

The following error was encountered:

Unable to determine IP address from host name for www.bbc.co.uk

The DNS server returned:

Timeout

This means that:

 The proxy was not able to resolve the hostname presented in the URL. 
 Check if the address is correct. 

test

hi i have completed the

hi

i have completed the installation .  when setting up my browser for using proxy, i am getting the messages

The requested URL could not be retrieved

While trying to retrieve the URL: http://www.bbc.co.uk/news/world-europe-16265665

The following error was encountered:

Unable to determine IP address from host name for www.bbc.co.uk

The DNS server returned:

Timeout

This means that:

 The proxy was not able to resolve the hostname presented in the URL. 
 Check if the address is correct. 

test

Set a client to use the same DNS server(s) as SWG then test try an NS lookup from the client.

my client and the dns server of the SWG are the same.  i have try nslookup and is fine.

hi guys,

please help...still not working..i need to make it work urgently

Can the SWG reach threatcneter? This test can be found in Adminstration -> configuration -> Network. There is a test connection to threat center.

If not you have a networking issue that prevents it from connecting to the internet.

i cannot connect to the threat center or perform an update but the Content Filter Version has been updated

Content Filter Version 5.32060 (installed at 01/26/12 12:34:28)

LAN and Management port should have connection to the internet. is the SWG able to ping sites such as google.com with the lan and management ports?

Now i am able to get update.

Something is not clear.is the web gateway in the inline + proxy mode work as proxy server?

do i need to configure my asa to allow the mgtm port to get access to the internet.have you seen the network topology?

my current config is

inline ip address : 192.9.227.202

inline gateway : 192.9.227.125

mgmt ip address : 192.9.200.202

mgmt gateway : 192.9.200.125

all my pcs are in the subnet 192.9.227.x

with the above config i test connection to symantec threat center unsuccessfully

but last week we swap both set of addresses that is

inline ip address : 192.9.200.202

inline gateway : 192.9.200.125

mgmt ip address : 192.9.127.202

mgmt gateway : 192.9.127.125

and we could test the sym. threat center. successfully

i am quite confused now

What operating mode do you have the SWG configured in?  If using "Inline+Proxy" can you confirm what you have the WAN port connected to?

THANKS

--iNLINE + pROXY

--CURRENTLY WAN IS CONNECTED TO AN ASA. - 192.9.227.125

INLINE IP - 192.9.227.202

INLINE GATEWAY - 192.9.227.125

MGT IP 192.9.200.202

MGT GATEWAY - 192.9.200.125 (NOT SURE WHAT TO PUT)

I AM NOT ABLE TO CONNECT TO THE THREAT CENTER...

WHEN CONFIGURING THE WEB BROWSER I AM NOT CONNECT TO ANY WEB SITE ..FOLLOWING MESSAGES

 The proxy was not able to resolve the hostname presented in the URL. 
 Check if the address is correct. 

PLEASE FIND ATTACHED NETWORK TOPOLOGY

Attachment(s)

Network topology_1.pdf   75 KB 1 version

Can you advise what IP addresses you're using for the DNS Servers and confirm if they can be contacted by both the Inline and MGMT interfaces.

Oh, and please review the below article on the requirements behind the 'separate managment and inline interfaces' option:

http://www.symantec.com/docs/TECH158913

This would indicate you have something with your network configuration you must resolve. We can tell you what we need but not how to configure your network. Both ports Management and Inline should be able to access the internet.