Video Screencast Help

SWG with ISA Firewall with proxy

Created: 08 Feb 2010 • Updated: 28 Oct 2010 | 12 comments
cemilebaşak's picture

Hi;

I faced an interesting problem while implementaion of SWG.

I the envirement there were an ISA firewall with  changed proxy on the same machine.

When I try to put SWG with inline mode. Only the applicaiton traffic detected. But no content or url traffic detected. I implement the SWG in the following mode.
swg.JPG
Are their any other thing I need to do?

Regards.

Discussion Filed Under:

Comments 12 CommentsJump to latest comment

KevK76's picture

Hi Cemile,

A few questions.

From the diagram above I gather there is a cable running from the core switch in the environment to the LAN port of the Web Gateway and then a cable running from the WAN port of the Web Gateway to the firewall/proxy which is then linked to the internet?

Have you purchased and installed the url filtering license?  If so have you checked the 'Enable Content Filter' box on the Administration -> Configuration -> Modules page of the Web Gateway?  Have you also defined the Internal Networks in the enviroment(This is done by using the 'Add a Network' button under Internal Network Configuration on the Administration -> Configuration -> Network page of the Web Gateway?

Cheers,

Kevin

Sergi Isasi's picture

It sounds to me that since we are only seeing Application Traffic, we may not be seeing any traffic from the ISA proxy, but only non HTTP traffic.  This is just a hunch though.

In addition to Kevin's questions - Where does the ISA sit in your environment?  Is it possible to see a simple network diagram with the Users, Proxy, Firewall, Switch, and Web Gateway?

Thanks much.

SI

Senior Product Manager - Web Gateway

cemilebaşak's picture

Thanks;

I did all the thing that Kevin ask for.

swg.JPG
As you show in the figure the inside interface of the ISA firewall connect to the wan port of the SWG and the lan port of SWG connect to the switch. The only difference is that there were no separate management port.

Thanks.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Sergi Isasi's picture

OK so we should be seeing all of the traffic then.  Have you told SWG what ports your normal ISA HTTP traffic is using?  This is in the Admin -> Configuration -> Proxy Tab.

SI

Senior Product Manager - Web Gateway

cemilebaşak's picture

I add the used port both 80 and 8080 for isa proxy. But no change.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Sergi Isasi's picture

This may be best done via Support, but the next step for troubleshooting is to see copies of your Policy, Policy Configuration and Whitelist pages.

Senior Product Manager - Web Gateway

cemilebaşak's picture

Ok. Today I am on the customer site and I will send it to you.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

cemilebaşak's picture

PoliciesConf1.pngNetwork2.png

Network1.png
Proxy.png

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Sergi Isasi's picture

OK a couple of questions based on the above:
1)  Is all user traffic from a 10.0.x.x. address?  Right now SWG is configured to only look at that network.
2)  Is all user traffic on port 80?  Right now SWG is configured to believe that port is the regular HTTP port.
3)  It does not look like any static routes are created.  That could be problematic for configuration in this environment if there are any PCs not on the 10.0.x.x Network.
4)  I cannot see your configuration for Content Filter Policies - those would be helpful.
5)  According to the NIC interfaces, only the LAN NIC is up.  It does not seem as though this SWG is connected properly to the network.

Again at this level, I would strongly recommend contacting Support as these issues are likely down to a specific set of configuration parameters for your environment.  They could best assist in squaring away what the problem is as quickly as possible.

SI

Senior Product Manager - Web Gateway

cemilebaşak's picture

Hi Sergi;

1) Yes all the traffic from 10.0.x.x. And also I add this network to internal network list.
2) The proxy port is 80 and the only http port is 80
3) There were no other traffic rather then 10.0.x.x because of that I didnot need to define any static route.
4) For the configuration of Content policy. All the conent filtering catogory config for monitor. Only for antivirus part is block.
5) WAN link was down because I only open the device for take the screen shots.

Thanks for your interest.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Sergi Isasi's picture

Cemile,

Last couple of things I would suggest checking:
1) What Content Filter Version (Updates -> Content Filter Version) are you running?
2) Should not make a difference, but try checking the 'Bypass Whitelist for Content Filter' box in the Administration -> Modules section of the GUI.
3) Does your whitelist have any entries in it?

At this point, I'd say you should contact support so we can troubleshoot your case directly on your appliance.

Senior Product Manager - Web Gateway

DerekJ's picture

Did you get you setup working? I also would like to implement the same setup with an ISA server 2004 firewall /proxy.