Virtual Secure Web Gateway

Hi All,

        We are installing Symantec Web Gateway and I am new to this product and I have some queries...

We have two SWG appliances and in our environment we have two proxies and two firewalls. We opted for fig2.2 in implementation guide but I am confused how the traffic flows. Now in the end users systems, we have proxy info in the browser but if we use this method do we need to change the proxy info to web gateway info in the users browsers.Please explain how the traffic flows ....

Is there any other solution so that the existin setup does not change much.The existing setup is that we have only proxy between corporate network and firewall an now we have Web Gateway in between.We are planning to use both eventhough Web Gateway 5.0 works as a proxy.

Thanks in Advance.....

Hi,

Please bear in mind there are not many details regarding your network environment here.

You should replace the current proxies with the proxy provided by SWG. In order to get most of the features I'd consider deploying the product in Inline + Proxy mode. 

Maybe the proxy IP address of SWG can replace the one used on your existing proxy?

Avoid creating a chain of proxies, is not supported and will cause issues.

Some other suggestions regarding deployment can be found here:

http://www.symantec.com/docs/TECH144596

Should you have any further question just let us know.

Federico

Thanks Federico for your response

We have proxy already running in production,we want to implement SWG only for web threats.Can we do in that way..?

Actually we have started implementing SWG 4.0 in which the feature of proxy was not available, so in order to have proxy,we had put the implementation of SWG on hold and implemented proxy.Now the version is upgraded to 5.0 and proxy is available.Now we are confused where to place the Web gateway in our network.So, Please suggest how to take this ahead....

Thanks in Advance.....

Hi, 

you can place SWG in inline mode downstream of the proxy and it should be able to check for malware via HTTP, but because of not taking advantage of the proxy some features won't be possible, like scanning for threats on HTTPS; this must be done via SWG's proxy.

To get the most, as mentioned before, I'd replace the current proxy with SWG running in Inline + Proxy if possible. If this is not possible, then probably Inline only would do well.

Federico

Hi,

Now If I want to continue in implementing the appliance which type of network connection I can go as provided in the Symantec web gateway Implementation guide.

Also can we create a virtual ip as we have two symantec web gateway appliances. If so where can we do that..? If we have virtual IP for both the appliances then we can easily provide that virtual IP in the users browsers setting so that we need to change the IP if any thing goes wrong with one of the appliances and setup...

Thanks in Advance....

Hi,

    we are planning to implement as fig 2.6 in implementation guide because the existing setup as it is in the diagram.Only thing is that the Symantec web gateway is coming in between proxy and the  core switch.Now do we need to made any changes in the network or browser setting of end users....?

As proxy in our environment is in failover mode, by implementing this does the environment get effected if any of the web gateway fails..?

Thanks in Advance...

Hi,

from what you mentioned is going to be SWG in Inline mode with an External Proxy. In that case, SWG will be downstream of the actual proxy and does not require any changes to the browser settings if the proxy maintains its settings untouched. 

You mentioned you have 2 proxies. Are you deploying a SWG downstream of each proxy host or just one SWG downstream of the virtual IP?

Federico