Virtual Secure Web Gateway

 View Only

  • 1.  Symantec Web Gateway Virtual Edition

    Posted Jan 11, 2012 12:12 PM

    Hello all

    I am in the process of installing and configuring SWG-VE in our sandpit as a proof of concept but as of yet am unable to get it to work.

    Only interested in the Proxy functionality so have set mode to be Proxy + Monitoring

    Have set the NIC1 Management interface to a virtual switch (promiscuous mode turned on and connected to port group called Management). I can acces the web console fine with an ip of x.x.1.250 (/24)

    I have set NIC3 the LAN interface to the same virtual switch with a port group called LAN and ip of x.x.0.250. Through SWG I can ping all gatways and servers as required.

    Now I want to route upstream to an internal ISA proxy server. I have added the IP, which resolved correctly to the ISA server in the 'Servers' config tab (ISA IP: x.x.0.3) (In the live envrionment this will be an external proxy but would think that the concept of routing to an upstream proxy would be the same)

    I have set the appropriate ports (8080) also in the 'Proxy' tab but proxy access via SWG doesn't seem to work and I cant find anywhere else to add an upstream proxy server. In the Proxy tab at the bottom, you can specify an external proxy server to use with Symantec Threat Center, and when I enter x.x.0.3 here, it connects to the internet fine. I also used wireshark and can see that the when a client is using the SWG proxy, the SWG server is accepting the connection but then trying to get access directly to the internet, without going through the internal upstream proxy.

    Bit stuck now - any ideas

    Many Thanks

    Lee



  • 2.  RE: Symantec Web Gateway Virtual Edition

    Posted Jan 11, 2012 03:32 PM

    We do not support chaning of proxy servers.



  • 3.  RE: Symantec Web Gateway Virtual Edition

    Posted Jan 12, 2012 03:53 AM

    Thanks for the reply but I am slightly confused. Your Symantec Web Gateway (SWG) - Best Practices: New Deployments Article: TECH144596 states that "When an external proxy is used to connect to the internet instead, it should be placed upstream of the SWG. The appliance must be properly configured to analyze that traffic and the proxy must not block any of the required ports and URLs."

    I just want to use the internal ISA as the upstream proxy, for testing in the sandpit anyway. Will this not work?

    In the live environment, we intend to use an external proxy anyway so will this configuration work?

    Thanks



  • 4.  RE: Symantec Web Gateway Virtual Edition

    Posted Jan 12, 2012 05:14 AM

    Proxy chaining isn't supported. If there are proxies between PC-s and the cloud you can't use SWG in proxy mode, it won't work. You should setup SWG to Inline mode. At phisical topology use admin guide: Inline mode with external proxy.

    Regards,

    Viktor



  • 5.  RE: Symantec Web Gateway Virtual Edition

    Posted Jan 12, 2012 05:36 AM

    Hi,

    if you want to use an external proxy then SWG should be set in Inline Mode (not Inline + Proxy) and you must configure your external proxy under "Servers" and set the SWG to analyze that traffic. Just bear in mind there are some limitations because of running an external proxy vs. SWG's own.

    In any case, if you want to use an upstream ISA server proxy is OK, it should work fine.

    HTH,

    Federico



  • 6.  RE: Symantec Web Gateway Virtual Edition

    Posted Jan 12, 2012 06:21 AM

    Thanks for the replies. So just to confirm, if I want to use an external upstream proxy server, then I set mode to Inline and configure the ISA under 'Servers' but crucially the SWG would not act as a proxy server itself, just provide blocking / Inline functions?



  • 7.  RE: Symantec Web Gateway Virtual Edition
    Best Answer

    Posted Jan 12, 2012 06:56 AM

    Yes, correct.

    Federico