Virtual Secure Web Gateway

Hello all,

I need your suggestions and advice for the Deployment design of SMG . Design Digram is attached please provide me with the suggestions that can SWG be deployed in the following envoirment or not. It is kinda urgent , waiting for your kind replies

regards,

Any 1 ? Symantec people ?

At a high level that looks fine. It's clearly missing lots of IP addresses and further detail, but I'll assume you have those in order.
I still don't understand why you insist on Inline+Proxy and not just Inline Only?  IIRC, your client machine must use the TMGs as their proxy in your environment right?

Well clients will be using SWG as their proxy, TMG can't be removed becuase it is doing consolidation and redundency for difrrent ISP's

What kind of further details are missing ?

So if we back up a moment, are you now saying that the TMGs are no longer used as proxies, but as the gateways instead?

Yes in the future TMG wont be used as proxies.

Looks fine to me.  Though I find it a bit odd both SWG's are using teh same gateway IP, when they are connected to different gateway devices

Both SWG will be deoyed on the same ESXi server machine

I need 6 physical NIC's on the same ESXi machine for both SWG's for their respective LAN,MAN and WAN interfaces which will be mapped to their virtual LAN Switches ?

Yup, that's what Symantec recommend

Is chain of proxy recommended ? as you can see in the attached document.

As I mentioned in your other thread (below), the SWGs cannot be used as part of a proxy chain I'm afraid.

https://www-secure.symantec.com/connect/forums/swg-51#comment-9764491

thanks , now in my diagram should i replace TMG as proxy or use SWG as inline mode ?

I'm afraid I have insufficient information to provide a suggestion, and is the kind of thing I'd normally cover in a workshop session.

That said, Inline should work fine, it just won't be supported because of the use of the virtual SWG.

thanks, If I am using SWG in an inline mode then how can I tell the SWG to use an external proxy TMG in this case ? Do I have to define static route in SWG to use TMG as the next hope for outbound traffic ?

Regards,

what does this  option do

"Use proxy for Web Gateway secure communication(SSL) with Symantec Threat Center"

The SWG currently can only use an external proxy for its own downloads (threat info, defs and DB updates), and not for routing users' web traffic.

As far as Inline mode goes, the SWG doesn't do any routing of user traffic, it just repeats the traffic from one interface out the other.  Therefore, it's down to whatever route the network device (whether that's the source machine, or router) thinks the packet should take.

What is the business reason for needing the Web Gateways to be inline? As SML stated, this is not supported in a virtual environment.

Is there a reason that you cannot use Span/Tap mode?

Span/Tap mode does not achieve the required functionality