ARM

The Adaptive Redirection Module (ARM) performs several essential functions including sending device notifications for cluster communication interface failover and inspection of incoming packets before the IP layer sees them, readdressing them for Content Gateway processing.

The ARM is always active. For more information, see The ARM.

Configure > Networking > ARM > General

Network Address Translation (NAT)

Displays the redirection rules in the ipnat.conf file that specify how incoming packets are readdressed when the proxy is serving traffic transparently. Content Gateway creates redirection rules during installation. You can modify these rules.

Refresh

Updates the table to display the most up-to-date rules in the ipnat.conf file.

Edit File

Opens the configuration file editor for the ipnat.conf file.

ipnat.conf Configuration File Editor

rule display box

Lists the ipnat.conf file rules. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.

Add

Adds a new rule to the rule display box at the top of the configuration file editor page.

Set

Updates the rule display box at the top of the configuration file editor page.

Ethernet Interface

Specifies the Ethernet interface that traffic will use to access the Content Gateway machine: for example, eth0 on Linux.

Connection Type

Specifies the connection type that applies for the rule: TCP or UDP.

Destination IP

Specifies the IP address from which traffic is sent.

0.0.0.0 matches all IP addresses.

Destination CIDR

Specifies the IP address in CIDR (Classless Inter-Domain Routing) format, such as 1.1.1.0/24. Entering a value in this field is optional.

Destination Port

Specifies the traffic destination port: for example, 80 for HTTP traffic.

Redirected
Destination IP

Specifies the IP address of your Content Gateway server.

Redirected
Destination Port

Specifies the proxy port: for example, 8080 for HTTP traffic.

User Protocol (Optional)

When dns is selected, the ARM redirects DNS traffic to Content Gateway: otherwise, DNS traffic is bypassed.

Apply

Applies the configuration changes.

Exits the configuration file editor.

Click Apply before you click Close; otherwise, all configuration changes are discarded.

IP Spoofing: Enabled/Disabled

Enables or disables the IP spoofing option, which configures Content Gateway to establish connections to origin servers with the client IP address instead of the Content Gateway IP address. For more information, see IP spoofing.

WARNING: IP spoofing requires precise control of the routing paths on your network, overriding the normal routing process for traffic running on TCP port 80 and 443.

Range Based IP Spoofing: Enabled/Disabled

Enables or disables the range-based IP spoofing extension. This extension supports the specification of IP addresses and ranges of addresses that are mapped to specified IP addresses for spoofing.

Many groups can be specified. However, use this feature judiciously because list traversal adds overhead to every connection request. The larger the list, the more overhead.

The list is traversed in order (as displayed). The first match is applied.

Clients that don't match a grouping are spoofed with their own IP address (basic IP spoofing).

For more information, see IP spoofing.

Range Based IP Spoofing: Address table

In the Client IP Addresses field, enter a comma separated list of individual IP addresses and/or IP address ranges. Do not use spaces.

You can use:

A simple IP address, such as 123.45.67.8

CIDR (Classless Inter-Domain Routing) format, such as 1.1.1.0/24.

A range separated by a dash, such as 1.1.1.1-2.2.2.2

Any combination of the above, separated by commas, such as:
1.1.1.0/24,25.25.25.25,123.1.23.1-123.1.23.123

In the Specified IP Address field, enter the IP address to use with matching clients. This is the spoofed IP address.

To add a row to the table, click Add Row.

To remove a row from the table, delete the contents of the cells. When you click Apply the empty row(s) is removed

The table always has a minimum of 5 rows.

Restart Content Gateway to put changes into effect.

Configure > Networking > ARM > Static Bypass

Static bypass rules route requests around the proxy (bypass). Rules can be defined for clients (sources), origin servers (destinations), or both (pairs). See Static bypass rules.


	Important This feature is for transparent proxy deployments only.


Static Bypass table	Lists the configured static bypass rules. When Content Gateway is serving transparent traffic, the proxy uses these rules to determine whether to bypass incoming client requests or attempt to serve them transparently. Rules are stored in bypass.config
Refresh	Updates the table to display the most up-to-date rules in the bypass.config file.
Edit File	Opens the configuration file editor for the bypass.config file.
	bypass.config Configuration File Editor
rule display box	Lists the bypass.config file rules. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.
Add	Adds a new rule to the rule display box at the top of the configuration file editor page.
Set	Updates the rule display box at the top of the configuration file editor page.
Rule Type	Specifies the rule type: A bypass rule bypasses specified incoming requests. A deny_dyn_bypass rule prevents the proxy from bypassing specified incoming client requests dynamically (a deny bypass rule can prevent Content Gateway from bypassing itself).
Source IP	Specifies the source IP address in incoming requests that the proxy must bypass or deny bypass. The IP address can be one of the following: A simple IP address, such as 123.45.67.8 In CIDR (Classless Inter-Domain Routing) format, such as 1.1.1.0/24. A range separated by a dash, such as 1.1.1.1-2.2.2.2 Any combination of the above, separated by commas, such as 1.1.1.0/24, 25.25.25.25, 123.1.23.1-123.1.23.123
Destination IP	Specifies the destination IP address of incoming requests that the proxy must bypass or deny bypass. The IP address can be one of the following: A simple IP address, such as 123.45.67.8 In CIDR (Classless Inter-Domain Routing) format, such as 1.1.1.0/24 A range separated by a dash, such as 1.1.1.1-2.2.2.2 Any combination of the above, separated by commas, such as 1.1.1.0/24, 25.25.25.25, 123.1.23.1-123.1.23.123
Apply	Applies the configuration changes.
Close	Exits the configuration file editor. Click Apply before you click Close; otherwise, all configuration changes will be lost.

Configure > Networking > ARM > Dynamic Bypass


Dynamic Bypass	Enables or disables the dynamic bypass option to bypass the proxy and go directly to the origin server when clients or servers cause problems. Dynamic bypass rules are deleted when you stop Content Gateway.
Behavior: Non-HTTP, Port 80	Select Enabled to enable dynamic bypass when Content Gateway encounters non-HTTP traffic on port 80. Select Disabled to disable dynamic bypass when Content Gateway encounters non-HTTP traffic on port 80. Select Source-Destination to enable dynamic source/destination bypass when Content Gateway encounters non-HTTP traffic on port 80. Select Destination Only to enable dynamic destination bypass when Content Gateway encounters non-HTTP traffic on port 80.
Behavior: HTTP 400	Select Enabled to enable dynamic bypass when an origin server returns a 400 error. Select Disabled to disable dynamic bypass when an origin server returns a 400 error. Select Source-Destination to enable dynamic source/destination bypass when an origin server returns a 400 error. Select Destination Only to enable dynamic destination bypass when an origin server returns a 400 error.
Behavior: HTTP 401	Select Enabled to enable dynamic bypass when an origin server returns a 401 error. Select Disabled to disable dynamic bypass when an origin server returns a 401 error. Select Source-Destination to enable dynamic source/destination bypass when an origin server returns a 401 error. Select Destination Only to enable dynamic destination bypass when an origin server returns a 401 error.
Behavior: HTTP 403	Select Enabled to enable dynamic bypass when an origin server returns a 403 error. Select Disabled to disable dynamic bypass when an origin server returns a 403 error. Select Source-Destination to enable dynamic source/destination bypass when an origin server returns a 403 error. Select Destination Only to enable dynamic destination bypass when an origin server returns a 403 error.
Behavior: HTTP 405	Select Enabled to enable dynamic bypass when an origin server returns a 405 error. Select Disabled to disable dynamic bypass when an origin server returns a 405 error. Select Source-Destination to enable dynamic source/destination bypass when an origin server returns a 405 error. Select Destination Only to enable dynamic destination bypass when an origin server returns a 405 error.
Behavior: HTTP 406	Select Enabled to enable dynamic bypass when an origin server returns a 406 error. Select Disabled to disable dynamic bypass when an origin server returns a 406 error. Select Source-Destination to enable dynamic source/destination bypass when an origin server returns a 406 error. Select Destination Only to enable dynamic destination bypass when an origin server returns a 406 error.
Behavior: HTTP 408	Select Enabled to enable dynamic bypass when an origin server returns a 408 error. Select Disabled to disable dynamic bypass when an origin server returns a 408 error. Select Source-Destination to enable dynamic source/destination bypass when an origin server returns a 408 error. Select Destination Only to enable dynamic destination bypass when an origin server returns a 408 error.
Behavior: HTTP 500	Select Enabled to enable dynamic bypass when an origin server returns a 500 error. Select Disabled to disable dynamic bypass when an origin server returns a 500 error. Select Source-Destination to enable dynamic source/destination bypass when an origin server returns a 500 error. Select Destination Only to enable dynamic destination bypass when an origin server returns a 500 error.