Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Transparent Proxy and ARM > Transparent interception strategies > Configuring Content Gateway to serve only transparent requests
Configuring Content Gateway to serve only transparent requests
Help | Content Gateway | Version 7.8.x
You can configure Content Gateway to serve only transparent requests and prevent explicit proxy requests from being served in the following ways:
*
You can control client access to Content Gateway by specifying ranges of IP addresses that are allowed to connect to the proxy. If Content Gateway receives a request from an IP address not listed in a specified range, it discards the request. See Controlling client access to the proxy.
*
If you do not know the ranges of client IP addresses allowed to access Content Gateway, you can add rules to the ipnat.conf file (Configure > Networking > ARM > General) so that only requests that have been redirected by your Layer 4 switch or WCCP router reach the proxy port.
To make a transparent-only Content Gateway server, add rules in the ipnat.conf file before the normal redirect service rule to redirect explicit proxy traffic to a port on which no service is listening. For example, if you want Content Gateway to ignore explicit HTTP requests, add rules above the normal HTTP redirect rule in the ipnat.conf file as shown below (where ipaddress is the IP address of your Content Gateway system and port_number is a port number on which no service is listening):
rdr hme0 ipaddress port 80 -> ipaddress port port_number tcp
rdr hme0 ipaddress port 8080 -> ipaddress port port_number tcp
rdr hme0 0.0.0.0/0 port 80 -> ipaddress port 8080 tcp
Add equivalent rules to the ipnat.conf file for each protocol service port or separate network interface to be served. After you make changes to the ipnat.conf file, you must restart the proxy.
*
If your Content Gateway system has multiple network interfaces or if you configure the Content Gateway operating system to use virtual IP addresses, you can give Content Gateway two IP addresses. One address must be the real address that the proxy uses to communicate with origin servers and the other a private IP address (for example 10.0.0.1) for WCCP or switch redirection. After you configure the IP addresses, you must add the following variables to the end of the records.config file. Replace private_ipaddress with the private IP address used for WCCP or switch redirection and real_ipaddress with the IP address the proxy uses to communicate with origin servers.
LOCAL proxy.local.incoming_ip_to_bind STRING private_ipaddress
LOCAL proxy.local.outgoing_ip_to_bind STRING real_ipaddress

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Transparent Proxy and ARM > Transparent interception strategies > Configuring Content Gateway to serve only transparent requests
Copyright 2016 Forcepoint LLC. All rights reserved.