Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

SWG - Proxy chain

Created: 02 Nov 2011 | 9 comments
viktor.nagy's picture
viktor.nagy
Accredited
0 0 Votes
Login to vote

Hi All!

Is proxy chain at SWG supported? One of our customers want to place SWG between two proxys (Hosts -> Proxy1 -> SWG -> Proxy2). Is there any solution for that?

Thanks in advance!

Regards,

Viktor

Discussion Filed Under:
,

Comments

BenDC's picture
02
Nov
2011
2 Votes +2
Login to vote
BenDC
Symantec Employee

You should be able to

You should be able to configure this to work. However if all trafic to SWG is coming from another proxy server the SWG will not be able to trak individual workstations or users if you have configured the LDAP integration. The easiet way would likely be to put SWG in to inline mode and place it between the two proxy servers.

viktor.nagy's picture
02
Nov
2011
0 Votes 0
Login to vote
viktor.nagy
Accredited

The problem is:

Proxy1 and Proxy2 are in different countries (and the SWG can be instaled at the location of Proxy1). Any other option to chain them?

Thanks in advance!

Viktor

BenDC's picture
02
Nov
2011
1 Vote +1
Login to vote
BenDC
Symantec Employee

I don't know why you would

I don't know why you would want to chain proxies with SWG.

SWG in inline mode will simply monitor traffic passing through the LAN/WAN ports, and does not do routing.

viktor.nagy's picture
02
Nov
2011
0 Votes 0
Login to vote
viktor.nagy
Accredited

Our customer has the following proxy chain topology now:

Hosts -> Proxy1 in country1 -> Proxy2 in country2 -> Proxy3 in country2 -> WWW

They want to add an SWG into the chain between proxy1 and proxy2. I know that inline mode would work if we put it between the hosts and proxy1, but what to do if our customer want to chain it between proxy1 and proxy2?

The other problem is that our customer want to configure DLP integration too, so we will need inline + proxy mode instead of inline mode.

BenDC's picture
02
Nov
2011
2 Votes 0
Login to vote
BenDC
Symantec Employee

DLP will only work on proxy

DLP will only work on proxy mode connections to SWG not regular inline.

SWG can be configured to use a proxy as well so chaning the proxy servers should be possible. It may be worth while to get a consultant to help with the configuration and setup.

KevK76's picture
02
Nov
2011
4 Votes +4
Login to vote
KevK76
Symantec Employee
Accredited

Proxy Chain

Hey Guys,

Just wanted to clarify that although the Web Gateway can be run as a proxy it can't be chained and traffic that hits the Web Gateway proxy needs to be destined for the internet and not another proxy in a chain.

Cheers,

Kevin

 

BenDC's picture
02
Nov
2011
2 Votes 0
Login to vote
BenDC
Symantec Employee

Good to know. Thanks again

Good to know. Thanks again Kevin.

viktor.nagy's picture
03
Nov
2011
0 Votes 0
Login to vote
viktor.nagy
Accredited

And what's the solution,

if our customer's internet traffic comes from an other proxy and if they want to use SWG with DLP?

viktor.nagy's picture
11
Nov
2011
0 Votes 0
Login to vote
viktor.nagy
Accredited

Anybody? Any idea?

Anybody? Any idea?

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,012