Virtual Secure Web Gateway

when configuring SWG 5.1 where do i have to give the ip adress for the WAN interface ?.

the only option which i can see is LAN/WAN .

What if i have to set seperate IP adresses for the LAN and WAN interface ?

Please reply waiting.

 

regards,

There is no separation of the WAN/LAN interfaces in the SWG Appliance, they act as a single device (which they effectively are, due to the special NIC used for the Inline behaviour).

The only separation options are between the Management and Inline interfaces.

Can you describe your scenario, and why you need to provide different IP addresses?

thanks , but I am implementing it in the Virtual envoirement ( Esxi 5) . If i implement it into the inline + proxy mode then i need to have 3 dedicated Nic's along with three virtual LAN switches created and mapped for them and if i go with the proxy mode then i only need to have two LAN\WAN and MAN interfaces they should be on a diffrent subnet with distinguished gateways and with dedicated Nic's . Correct me if I am wrong please.

Now the scenerio which I am facing now is that there is a core switch connected to the two SWG's and then those two SWG's are being connected to TMG. Now previously users were having the LAN adress of the TMG as their Proxy adress in their browser but now since SWG is being deployed that TMG inline interface adress is switched to the SWG's inline interface adress so that there should not be any changes being made to the user's.

TMG is there and shouldn't be moved becuase it is doing consolidation for 3 ISP's for redundency with the SWG. Now I am wondering that which IP adress should i use on the WAN interface of the SWG that is connecting to the TMG. Please suggest me.

Regards,

Are you there ?

Soooo, the first thing to be clear on, is which implementation mode you're hoping to use.  Two very important points are worth bearing in mind:

1. SWG does not support proxy chaining.  When using the SWG as a proxy, it has no option to then use the TMG as an additional proxy either before or after the SWG.
   http://www.symantec.com/docs/TECH192087
2. The Virtual SWG does not support Inline mode (but it should work)
   http://www.symantec.com/docs/TECH183599

What this means is, if you want to use the SWG as a proxy, then Symantec recommend it as a replacement for the TMG rather than an additional hop.  If you want it Inline, then the client machines remain pointing at the TMG, but you connect the LAN/WAN pair in front  or behind it.  Check out the below article on some more info on the Inline implementation options:

http://www.symantec.com/docs/TECH123371
http://www.symantec.com/docs/HOWTO54113

i can use either proxy mode or inline + proxy mode these are the two options. but as i was implementing it today the ip connectivity could not be established.

Two web gateways will be installed pointing to two difrrent TMG's . TMG's cant be removed becuase they are doing reduncency and consolidation for two diffrent ISP's. so the envoirement is that two web gateways are deployed with a single CIU connecting to two diffrent TMG's.

Secondly there is a query that How would the SMG points the outbound traffic to the TMG so that it can be routed to the internet in this scenerio ?

This is the following scenrio.

SWG1 > TMG2 > Internet with two diffrent ISP's

SWG2 > TMG2 > Internet with two diffrent ISP's

Proxy mode will be implemented, TMG IP will be applied to the SWG's inline interface so that no change should be done on the clients. How would the SWG will send the traffic to the TMG so that it can be routed on the internet ? there are acces rules applied on the TMG ( IP , User ) how is it gonna affect the SWG ?

 

regards,

As I stated earlier, you cannot use the SWG as part of a proxy chain.  This means that if you assign current TMG IP addresses to the SWGs' LAN interfaces and use them as proxies, then the SWGs must go directly out to the internet afterwards.

Core Switch -> SWG -> Out

If you are keeping the TMGs, then the only available deployment option sounds like the Inline mode (which, as I mentioned is unsupported in the virtual SWG), and should be placed either before of after the TMG without changing the TMGs' IP addresses.

Core Switch -> SWG -> TMG -> Out
Core Switch -> TMG -> SWG -> Out

In both cases, the clients use the TMG as a proxy, and are not aware of the SWGs in Inline mode.  This also means that the SWGs cannot perform SSL Deep Inspection

Client cannot remove the TMG's from their setup becuase they are doing consolidation and redundency for two diffrent internet service providers.

Can't i use the first scenerio in which traffic first goes to the SWG which is working either in the Proxy mode or inline + proxy mode and then towards the TMG ?

TMG is only used for the redudent internet connectivity

Is inline mode not supported and applicable in Virtual envoirement ?

I'd recommend reading the articles I posted earlier .  The second confirms that the Inline and Inline+Proxy modes are not supported when using a virtual SWG.

I'd hazard a guess this has something to do with Symantec having no control over the NICs present in the host, so any failure will break the link.  Whereas the SWG physical appliances use special NICs that allow them to fail-open.

Thanks for your help I really appreciate it. I have read the provided articale.

So what do you suggest i should do in the current scenrio with TMG as it can't be replaced , becuase there are diffrent ACL configured for the end users based on their IP's and usernames , end users are also using diffrent proxy client so how is it gonna affect the proxy clients ?  and it is doing reduncency for the internet as i have told you before. As per my understanding I can't implement Proxy or Inline + proxy in the current scenrio. Is this the case ?

Secondly if i go with the inline mode with the SWG between the core switch and the TMG is this gona go well in this scenrio ? I know inline mode is not supported in the Virtual envoirement becuase of the bypas mode but as of now I am not really much bothered about the bypass functionality. If implemented in the inline mode is SWG gonna work in the current scenrio ?

 

regards,

You cannot use the SWGs' proxy function, as it doesn't support proxy chaining (i.e. you cannot tell clients to use the SWG as a proxy, then tell the SWG to use the TMGs as proxies).  This means, strictly speaking, you could potentially implement it in Inline+Proxy mode, but you can only use the Inline functionality.

As it stands, Symantec state that Inline mode on a virtual SWG should work fine, but is not supported.

What this means in a practical sense is that, as the fail-open NIC is unavailable, any problems in the SWG will cause a loss of connection.  How it affects your environment will depend on where you place the SWGs (i.e. before or after the TMGs).

Thanks for the reply. It will be placed before the TMG's . In inline + proxy mode i will loose the functionality of proxy like decrypting the SSL and encryptid traffic etc etc ?

What if i implement it into the inline mode only ? then i would be needing 3 physical NIC's mapped to their associated virtual LAN switched i.e LAN, MAN and WAN. on diffrent subnets with their distinguished defauly gateways ?

Now when the traffic from the hosts comes to the SWG how would it know that it will be send to the upstream TMG so that it can be sent onto the internet. Do i have to configure some sort of routing on the SWG so that it sends the traffic to the TMG ? How would the SWG know to send all the traffic to the TMG after doing all the configured filtering ?

This part  is a bit confusing  for me . I would be really thankful to you if you can clarify. Thanks.

regards,

You are correct that without the proxy function, you cannot perform SSL Deep Inspection, and that the Virtual SWGs will require 3 NICs each for Inline mode.

As far as the configuration goes, and assuming you go for Inline only mode, then only 1 IP address is required (2 different IP addresses is optional).

The SWG Inline mode enables an inate function to pass everything it sees via the LAN interface, out the WAN interface, and vice versa.

Feel free to contact us via PM or our website in my signature if you'd like more help, we're always happy to assist other partners.

Being said that , Inline mode requires three NIC's , and both LAN ,WAN and MAN should be on three different subnets with distinguished gateways so why does it require and can work on a single IP address ? How does it work in this mode without giving IP to WAN interface how does it know it had to go the next hop TMG in this case ? This part confuses me

Being said that , Inline mode requires three NIC's , and both LAN ,WAN and MAN should be on three different subnets with distinguished gateways so why does it require and can work on a single IP address ? How does it work in this mode without giving IP to WAN interface how does it know it had to go the next hop TMG in this case ? This part confuses me

Being said that , Inline mode requires three NIC's , and both LAN ,WAN and MAN should be on three different subnets with distinguished gateways so why does it require and can work on a single IP address ? How does it work in this mode without giving IP to WAN interface how does it know it had to go the next hop TMG in this case ? This part confuses me

Being said that , Inline mode requires three NIC's , and both LAN ,WAN and MAN should be on three different subnets with distinguished gateways so why does it require and can work on a single IP address ? How does it work in this mode without giving IP to WAN interface how does it know it had to go the next hop TMG in this case ? This part confuses me

The LAN/WAN pair is essentially just a repeater.  Whatever it receives on one interface, it outputs on the other.  This functionality has no need for IP addresses.

All the SWG is doing, is scanning the traffic before it's repeated on the other side (LAN -> WAN or WAN -> LAN).  As such, the SWG is invisible to the clients and the TMG, and only really makes itself known if it blocks something.

The IP address requirement is more for the Management Web Console and block pages, not for feeding traffic through the SWG (the physical cabling does that).

Aright , it makes more sense now SMLatCST thanks for the clarification I really appreciate it.

Now one more thing which i would like to ask you that , I am going to implement inline mode in virtual envoirement , when doing this it is gonna essentialy do the same thing as the physical appliance do , I have to just do the correct cabling on the ESxi,  map the three physical NIC's LAN,WAN and MAN to their appropriate virtual LAN switches. Ideally I can give the IP adressing only to the MAN interface in the SWG console, if i want then i can also configure the LAN\WAN interface adressing in the console but if i dont give the LAN\WAN IP it will still work.

Lastly just connect the WAN port cable on the SWG to TMG and it will work ? Correct me if i am wrong.

regards,

Yeah, that's pretty much it in a nutshell.  There's some fiddling required on the VMWare side regarding the NICs, and you'll need a crossover cable for some of the cabling, but all the info is in the SWG documentation.

Just to warn you as well, the Single IP address (if you so choose to configure the SWG) will be available on both the MGMT and LAN interfaces, so don't be suprised if the web console is still available when the MGMT interface is not plugged in.

#EDIT#

And as I mentioned, we have a lot of SWG experience over here, and are happy to work with and support other partners if you feel it would be of benefit.  Contact details are available via our website

The issue which I faced yesterday while implementing this was that I could not establish IP connectivity though i could acess the management interface fine , but it was the LAN interface that was causing issue so I wasn't able to do it.

Does the additional information help then?  Hopefully, with the NIC settings anc crossover cable in place you can get this all working

Cross over between LAN and WAN ports or WAN and TMG ?

Cross over between LAN and WAN ports or WAN and TMG ?

Cross over between LAN and WAN ports or WAN and TMG ?

Cross over between LAN and WAN ports or WAN and TMG ?

The articles in my second post provides further info on where the crossover cable is connected (typically between SWG LAN interface and switch).

So what I have conlcluded is that in the inline mode just give the management IP the proper adressing . I can optionally give the LAN interface adressing but if i dont give then it wont be a problem ? connect the correct cabling i.e  Switch > SWG and SWG > TMG  and it would work just fine ?

regards,

Actually the other guy will be doing the Vmware part settings and he is a bit hesistant in  enalbing the promiscous mode