ProxySG First Steps: Deploying an Explicit Proxy

Transcription

ProxySG First Steps: Deploying an Explicit Proxy
Blue Coat Security First Steps
Solution for Deploying an Explicit Proxy
SGOS 6.5
Third Party Copyright Notices
© 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,
POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS
APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the
Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of
Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the
absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using
the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective
owners. This document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN
THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA
REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN
OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND
REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,
PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER
IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Americas:
Blue Coat Systems, Inc.
420 N. Mary Ave.
Sunnyvale, CA 94085
Rest of the World:
Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
Blue Coat Security First Steps
Contents
Solution: Deploy an Explicit Proxy
4
Set Up an Explicit Proxy
5
Set Services to Intercept - Explicit Proxy
6
Explicit Proxy Services
6
Manually Configure Explicit Proxy Settings in the Browser
Download Explicit Proxy Settings from a PAC File
7
12
Edit the Accelerated PAC File
12
Deploy the PAC File from the ProxySG Appliance
13
Serve the PAC File from a Web Server
14
Specify the PAC File Location in the Browser
15
Allow Browsers to Auto-Detect Settings
20
Test Explicit Client Connections
21
List Active Sessions for a Proxy
23
Explicit Proxy Troubleshooting
24
Why are users experiencing slow browser performance?
24
Why are browsers connecting with outdated PAC settings?
24
Why are requests connecting directly instead of being redirected to proxy?
24
3
Deploy an Explicit Proxy
Solution: Deploy an Explicit Proxy
You can configure every client workstation in your network to direct their web requests to the ProxySG appliance. This
deployment type is called explicit proxy. After a client is configured for explicit proxy, all user requests are sent to the appliance rather than to the origin content server (OCS) . The appliance then determines whether to allow or deny the request
based on web access policy.
Note: You can configure user agents such as browsers, e-mail clients, FTP clients, and client-side
applications. Because browsers are by far the most widely used user agents in a typical network, this solution covers how to configure them for explicit proxy.
For allowed transactions, the appliance either services the user's request from a cached version of the page stored on the
appliance's disk, or it connects to the OCS to retrieve the content to cache and serve to the user.
Example of explicit proxy traffic flow - request allowed
1. A user enters a URL in the browser's address bar. (This browser has already been configured to send traffic to the
appliance explicitly.)
2. The browser connects to the proxy service and sends the user request. The destination IP address is that of the
ProxySG appliance.
3. The appliance examines the request details (client IP, username/group if configured, URL, path, category) and
compares them against allow and deny policy. Based on proxy service and policy settings, the appliance allows
this request.
4. The ProxySG forwards the user's request to the OCS. The source IP address of the request is that of the
appliance.
5. When the OCS responds, the appliance adds the content to its cache and forwards the response to the user.
Example of explicit proxy traffic flow - request denied
4
Blue Coat Security First Steps
1. A user enters a URL in the browser's address bar. (The browser has already been configured to send traffic to the
appliance explicitly.)
2. The browser connects to the proxy service and sends the user request. The destination IP address is that of the
ProxySG appliance.
3. The appliance examines the request details (client IP, username/group if configured, URL, path, category) and
compares them against allow and deny policy. Based on proxy service and policy settings, the appliance denies
this request.
4. The appliance sends the user an exception page providing details on why the request was denied.
Whether an explicit deployment is appropriate for your organization could depend on business and security policy. You
should analyze your requirements to determine if explicit deployment is appropriate for you. For example, the deployment
type that best suits your needs could depend on whether your organization has a "bring your own device" (BYOD) policy.
To configure your network for explicit proxy, select a method to perform to deploy proxy settings to users, and then verify
that client connections are proxied explicitly.
1. Set Up an Explicit Proxy.
2. Test Explicit Client Connections.
Set Up an Explicit Proxy
To set up your network for an explicit proxy, configure the SSL proxy service (if required), and then select one or more
methods to deploy proxy settings to the users in your network.
1. Configure the Explicit HTTP services to intercept. See Set Services to Intercept - Explicit Proxy for instructions.
2. Make sure that clients can access the Internet only by going through the appliance. Configure the firewall to restrict
outbound access to ports 80, 443, and 21 to the appliance's IP address.
Refer to your firewall documentation if you require more information.
3. Determine which method to use to set up the explicit proxy; refer to the following table.
5
Deploy an Explicit Proxy
Method
Might be appropriate if...
Configure browsers with the IP address and
port of the ProxySG appliance.
l
l
Download Proxy Auto-Configuration (PAC)
information from an internal web server or
load the file directly on the appliance.
Configure the appliance to automatically
detect explicit proxy settings.
l
l
l
Your network is not too complex or
the number of client devices is not
very high.
Refer to this topic
Manually Configure
Explicit Proxy Settings in the Browser
Some users occasionally use
laptops or other devices that
cannot download settings from an
internal web server.
Your network has many devices or
is complex.
All devices in your network are
subject to the same policies and
proxy configuration.
Download Explicit
Proxy Settings from a
PAC File
You want to avoid complex manual Allow Browsers to
configuration.
Auto-Detect Settings
Tip Depending on your network configuration and users' requirements, you might want to use more than one of the
methods described above to deploy proxy settings. For example, you could use a PAC file for all client workstations in the network, but have users manually configure the browsers on their laptops.
Set Services to Intercept - Explicit Proxy
For explicit proxy deployments, client browsers direct all traffic to the appliance on the same port, (typically 80 or 8080).
When explicit traffic is intercepted, the appliance uses an advanced protocol detection method to identify the type of
traffic, (HTTP, HTTPS, RTMP, and so on) and handle it according to the standards for that traffic.
Explicit Proxy Services
1.
2.
3.
4.
5.
In the Management Console, select Configuration > Services > Proxy Services.
Under Predefined Service Groups, expand the Standard group. A list of services displays.
Locate Explicit HTTP, select it, and click Edit Service.
Enable Detect Protocol.
Under Listeners, set the explicit proxy ports (8080 and/or 80) to Intercept.
6
Blue Coat Security First Steps
6. Click OK and Apply . The appliance confirms your changes.
Manually Configure Explicit Proxy Settings in the Browser
To set up an explicit proxy using the browser, configure the ProxySG appliance as the proxy server in each client browser.
In a typical setup, enter the appliance's IP address and port on which the appliance listens for traffic (by default, 8080).
Select the appropriate browser for instructions. If users use a different version, instructions might differ slightly.
Microsoft Internet Explorer version 8.x
1. Open Internet Explorer.
2. Select Tools > Internet Options > Connections > LAN settings. You might have to make the Command Bar
visible first.
The LAN Settings window appears.
7
Deploy an Explicit Proxy
3. Under Proxy server, select the option to use a proxy server.
4. In the Address field, enter the ProxySG IP address/hostname.
5. (If applicable) In the Port field, enter the port (for example, 8080).
6. Click OK > OK.
Mozilla Firefox version 24.0
1. Open Firefox.
2. Select Tools > Options > Advanced > Network > Settings.
8
Blue Coat Security First Steps
3. On the Connection Settings dialog that appears, select Manual proxy configuration.
4. In the HTTP Proxy field, enter the ProxySG IP address/hostname.
5. (If applicable) In the Port field, enter the port (for example, 8080).
6. Click OK > OK.
Google Chrome version 30.x
1.
2.
3.
4.
Open Chrome.
Select Settings. If the option is present, select Show Advanced Settings.
Under Network, click Change proxy settings. The Internet Properties window appears.
On the Connections tab, click LAN settings.
The LAN Settings window appears.
9
Deploy an Explicit Proxy
5. Under Proxy server, select the option to use a proxy server.
6. In the Address field, enter the ProxySG IP address/hostname.
7. (If applicable) In the Port field, enter the port (for example, 8080).
8. Click OK > OK.
Apple Safari version 5.1.7 (Windows)
1. Open Safari.
2. Select the settings menu, selectPreferences, and then click Advanced.
3. Click Change Settings.
The Internet Properties pane opens.
4. Click LAN Settings.
The LAN Settings window appears.
10
Blue Coat Security First Steps
5. Under Proxy server, select the option to use a proxy server.
6. In the Address field, enter the ProxySG IP address/hostname.
7. (If applicable) In the Port field, enter the port (for example, 8080).
8. Click OK > OK.
Apple Safari (Mac)
1.
2.
3.
4.
Open Safari.
From the Apple menu, select Preferences.
From the Settings menu, select Preferences.
Click Advanced.
5. Beside Proxies, click Change Settings.
6. Click the Advanced button.
7. From the Apple menu, select Preferences.
8. (If necessary) Select your active network interface (usually Ethernet or Wi-Fi).
9. Select Advanced.
10. Click Proxies.
11. Select Internet & Wireless > Network.
12. Select Advanced > Proxies.
13. Click Web Proxy (HTTP).
14. Under Web Proxy Server, enter the ProxySG appliance IP address and port.
11
Deploy an Explicit Proxy
15. Click OK.
Next Step: Test Explicit Client Connections
Download Explicit Proxy Settings from a PAC File
You can specify that browsers download explicit proxy settings from a Proxy Auto-Configuration (PAC) file. A PAC file is
a JavaScript file that defines a FindProxyForURL function, which tells the browser to either redirect to a proxy server or
connect directly to the URL.
Two PAC files ship with the ProxySG appliance:
l
l
a read-only default PAC file, which specifies to use the appliance as the proxy server:
http://<ProxySG_IP_address>:<port>/proxy_pac_file
an editable PAC file, which specifies when to use the appliance as the proxy and which ports to use for specific
types of requests, as well as when to connect directly to the origin content server (OCS):
http://<ProxySG_IP_address>:<port>/accelerated_pac_base.pac
For information on configuring the PAC file, refer to http://en.wikipedia.org/wiki/Proxy_auto-config.
Next Step: Edit the Accelerated PAC File
Edit the Accelerated PAC File
You can use the basic Proxy Auto-Configuration (PAC) file that ships with the ProxySG appliance, but if you want to create custom PAC settings for your deployment, you can edit the accelerated PAC file.
12
Blue Coat Security First Steps
Caution: The PAC file is written in JavaScript. You should be familiar with JavaScript functions before attempting
to edit the file.
1. Download the PAC file from the appliance:
http://<ProxySG_IP_address>:<port>/accelerated_pac_base.pac
2. Open the PAC file in a text editor such as Notepad.
3. Edit the file as appropriate for your deployment.
If you are setting up the network for explicit proxy for the first time, it is a good idea to create a relatively simple
PAC file for testing.
Refer to this example of an edited PAC file. The PAC file contents in the example are as follows:
l
l
l
l
l
If the hostname matches yourdomain.com anywhere in the URL, redirect requests to 198.51.100.0; if the proxy
can't be reached, go direct
l
take the same action if the URL matches the specified ftp, images, or graphics URLs
If the request contains a Windows Media protocol (mms or rtsp) redirect to 198.51.100.1 or 198.51.100.2
respectively; if the proxy can't be reached, go direct
If the request is for streaming media on yourdomain.com, redirect to 198.51.100.3; if the proxy can't be reached, go
direct
If the hostname is not a fully-qualified domain name (FQDN), is an internal FQDN, or is any host in the
altyourdomain.com domain, go direct
If none of the previous conditions apply, redirect to 198.51.100.10; if the proxy can't be reached, go direct
After you edit the accelerated PAC file you can load it directly on the appliance; see Deploy the PAC File from the
ProxySG Appliance.
Alternatively, you can deploy PAC information in the following ways:
n
n
Serve the PAC File from a Web Server - Upload the file to an internal web server, and then download the file to the
appliance.
Specify the PAC File Location in the Browser - Upload the file to an internal web server, and then instruct users to
specify the URL to the file in the browser.
Deploy the PAC File from the ProxySG Appliance
Use this method if you plan to create your own PAC file and deploy it from the appliance.
1.
2.
3.
4.
5.
Open the edited PAC file in a text editor such as Notepad.
Edit the file as appropriate for your deployment and then copy the file contents.
Log into the ProxySG command line interface (CLI).
Enter enable mode.
In enable mode, enter:
#inline accelerated-pac EOF
#<PAC_file_contents>
#<eof>
where:
<PAC_file_contents> is the PAC file contents you copied in step 3; paste the contents here
<eof> is an end-of-file marker; choose one that does not match any string in the PAC file itself
6. The CLI responds ok.
n
n
Example of PAC file pasted in the CLI
13
Deploy an Explicit Proxy
For an explanation of the contents of the file in this example, see Edit the Accelerated PAC File.
Next Step: Test Explicit Client Connections
Serve the PAC File from a Web Server
You can upload the edited PAC file to your internal web server and then instruct the ProxySG appliance to download it
from the web server.
Note: Before proceeding, ensure that read permissions are set on the web server so the appliance can read the
PAC file.
In addition, configure the web server with one of the MIME types for PAC files:
application/x-ns-proxy-autoconfig
application/x-javascript-config
If the MIME type is not configured for .pac extensions, users may experience connection issues.
14
Blue Coat Security First Steps
1. Open the edited PAC file in a text editor such as Notepad.
2. Edit the file as appropriate for your deployment.
3. Upload the edited PAC file to your internal web server.
Next Step: Test Explicit Client Connections
Specify the PAC File Location in the Browser
If you want certain users or groups of users to use the same PAC file, you can instruct them to specify the location of the
PAC file in their browsers.
Note: Configure the web server with one of the MIME types for PAC files:
application/x-ns-proxy-autoconfig
application/x-javascript-config
If the MIME type is not configured for .pac extensions, users may experience connection issues.
1. Configure the ProxySG appliance's TCP port 80 to accept explicit connections.
The browser can retrieve the PAC file URL via DHCP option 252 if your DHCP server is configured to send option
252 and the host is using DHCP (as opposed to a host configured with a static IP address.) For some DHCP
servers, you might have to add the entry for option 252.
2. Download the PAC file from the appliance:
http://<ProxySG_IP_address>:<port>/accelerated_pac_base.pac
3. Open the edited PAC file in a text editor such as Notepad.
4. Edit the file as appropriate for your deployment.
5. Upload the edited PAC file to your internal web server and note the path to the file.
6. Configure the browser with the PAC file URL.
Select the appropriate browser for instructions. If users use a different version, instructions might differ slightly.
Microsoft Internet Explorer version 8.x
1. Open Internet Explorer.
2. Select Tools > Internet Options.
3. Click the Connections tab and then click LAN Settings.
15
Deploy an Explicit Proxy
4. On the dialog, select Use automatic configuration script.
5. Enter the PAC URL in the Address field.
6. Select OK > OK.
Mozilla Firefox version 24.0
1.
2.
3.
4.
Open Firefox.
Select Tools > Options.
Select Advanced > Network.
In the Connection section, click Settings.
16
Blue Coat Security First Steps
5. On the dialog, select Automatic proxy configuration URL. 6. In the field, enter the PAC URL.
7. Select OK > OK.
Google Chrome version 30.x
1.
2.
3.
4.
Open Chrome.
In the Chrome menu, select Settings.
Click Show advanced settings.
Scroll down. Under Network, click Change proxy settings.
17
Deploy an Explicit Proxy
5. On the dialog, select Use automatic configuration script.
6. Enter the PAC URL in the Address field.
7. Select OK > OK.
Apple Safari version 5.1.7 (Windows)
1. Open Safari.
2. From the Settings menu, select Preferences.
3. Click Advanced.
4. Beside Proxies, click Change Settings.
5. Click the Advanced button.
The Internet Properties window appears.
6. Click the Connections tab and then click LAN Settings.
18
Blue Coat Security First Steps
7. On the dialog, select Use automatic configuration script.
8. Enter the PAC URL in the Address field.
9. Select OK > OK
Apple Safari version 6.0.5 (Mac)
1. Open Safari.
2. From the Settings menu, select Preferences.
3. Click Advanced.
4. Beside Proxies, click Change Settings.
5. Click the Advanced button.
6. From the Apple menu, select Preferences.
7. (If necessary) Select your active network interface (usually Ethernet or Wi-Fi).
8. Select Advanced.
9. Click Proxies.
10. Select Automatic Proxy Configuration .
11. Enter the URL of the hosted PAC file in the URL field.
19
Deploy an Explicit Proxy
12. Select OK.
Tip If you want users' browsers to determine the location of the PAC file using DNS, you must use the Web Proxy
Auto-Discovery Protocol (WPAD) method. See Allow Browsers to Auto-Detect Settings.
Next Step: Test Explicit Client Connections
Allow Browsers to Auto-Detect Settings
If you want all devices in your network to use the same proxy settings, you can configure the ProxySG appliance to allow
browsers to auto-detect settings. Using Web Proxy Auto-Discovery Protocol (WPAD) allows you to enforce the same settings for all users. Use this method if you want all users' browsers to determine the location of the PAC file through DNS.
1. Download the PAC file from the appliance:
http://<ProxySG_IP_address>:<port>/accelerated_pac_base.pac
2. Open the edited PAC file in a text editor such as Notepad.
3. Edit the file as appropriate for your deployment. See Edit the Accelerated PAC File.
4. Upload the renamed file to the root directory of your internal web server.
5. Add a DNS record to your internal DNS server to resolve the WPAD hostname to the ProxySG appliance
IP address.
For example, if the local domain is yourdomain.com, add a record resolving wpad.yourdomain.com to the appliance
IP address.
6. Configure an explicit HTTP proxy service to allow browsers to receive the WPAD requests. In the Management
Console, select Configuration > Services > Proxy Services.
20
Blue Coat Security First Steps
Tip The appliance must be actively listening on whatever port you specify in the service. Port 80 is the
default and thus does not have to be specified in browsers; however, if you want to use a different port, you
must enable it for listening and then specify the port when configuring the explicit HTTP service. For
instructions, see Set Services to Intercept - Explicit Proxy .
7. Configure a redirect policy to convert the client’s request for
http://wpad.yourdomain.com/wpad.dat
to a request for
http://<ProxySG_IP_Address>:<port>/accelerated_pac_base.pac.
The following is an example:
<Proxy>
ALLOW url.path.exact=/wpad.dat action.ReturnRedirect1(yes)
define action ReturnRedirect1
request_redirect( 302, ".*", "http://wpad.yourdomain.com/accelerated_pac_
base.pac" )
end
When the user launches a browser, the browser attempts to detect proxy settings and issues an HTTP GET request to the
hostname on the internal DNS server. The browser then installs the PAC file.
Next Step: Test Explicit Client Connections
Test Explicit Client Connections
After you have configured the network for explicit proxy, you should test client connections and verify that they are going
through the proxy server explicitly.
1. Set a Deny policy.
a. In the Management Console, select Configuration > Policy > Policy Options.
b. Under Default Proxy Policy, select Deny.
c. Click Apply.
2. Go to various web pages using the browser. You should receive exception pages stating that access is denied due
to policy. 3. Set an Allow policy.
a. In the Management Console, select Configuration > Policy > Policy Options.
b. Under Default Proxy Policy, select Allow.
c. Click Apply.
4. Go to various web pages using the browser. You should be able to access the web pages.
5. Use one of the following methods to verify that connections are being proxied:
l
View active sessions
1. Go to various web pages using the browser.
2. View Active Sessions statistics and verify that they show explicit HTTP connections. See List
Active Sessions for a Proxy for instructions,
21
Deploy an Explicit Proxy
3. In the Client column, look for HTTP connections originating from the IP address of the ProxySG
appliance.
Requests sent to the origin content server (OCS) on behalf of the client display the ProxySG
appliance IP address in the Client column.
l
View the access log in real time
1. If access logging is disabled, enable it. In the Management Console, select Configuration > Access
Logging > General. Select Enable Access Logging and then click Apply.
2. Start the access log tail. Select Statistics > Access Logging > Log Tail. Click Start Tail.
3. Go to various web pages using the browser.
4. To stop the log tail, click Stop Tail.
5. On the Log Tail tab, look for events pertaining to the web pages you visited. They display as
originating from the IP address of the ProxySG appliance.
The access log tail shows events in real time.
22
Blue Coat Security First Steps
List Active Sessions for a Proxy
The Active Sessions report provides an immediate picture of the client-server sessions and the associated protocols, services, bytes, savings, and other statistics.
1. In the Management Console, select Statistics > Sessions > Active Sessions > Proxied Sessions.
2. From the Filter drop-down list, select Proxy.
3. Select a proxy name from the drop-down list.
4. Click Show to see the list of connections for the selected proxy.
23
Deploy an Explicit Proxy
Explicit Proxy Troubleshooting
Why are users experiencing slow browser performance?
24
Why are browsers connecting with outdated PAC settings?
24
Why are requests connecting directly instead of being redirected to proxy?
24
Why are users experiencing slow browser performance?
Problem:Users report slow browser performance.
Resolution: This problem has more than one possible solution.
Solution 1: The PAC file is large and has too many lines. Each line in the PAC file, including comments, is parsed each
time the browser encounters a URL on an HTML page. If your PAC file has extraneous lines, try to rewrite it to make it
more efficient.
Solution 2: The Proxy Auto-Configuration (PAC) file location was specified using a hostname, which could cause a performance hit due to excessive DNS lookups. If you suspect this could be the cause of the issue, use an IP address for the
PAC file location.
Why are browsers connecting with outdated PAC settings?
Problem: Browsers connect using outdated Proxy Auto-Configuration (PAC) settings.
Resolution: You updated the PAC file, but some users' browsers cached the previous PAC settings. Instruct users to do
one of the following:
l
l
Clear the browser cache.
Start a new browser session.
Why are requests connecting directly instead of being redirected to proxy?
Problem: Users' requests are connecting directly to the origin content server (OCS) instead of the proxy server. You have
specified in the proxy auto-configuration (PAC) file that these requests should be sent to proxy server.
Tip You can verify that requests are connecting directly by using a network monitoring utility such as TCPView.exe
to determine where the browser is redirecting.
Resolution: This problem has more than one possible solution.
Solution 1: If the PAC file specifies that requests go direct if the proxy server cannot be reached, verify that the proxy in
question is reachable.
Solution 2: Debug the JavaScript in the PAC file. Look for incorrect syntax and other errors.
24