Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Additional Proxy Configuration > IP spoofing
IP spoofing
Help | Content Gateway | Version 7.8.x
Ordinarily, when Content Gateway proxies requests for clients it communicates with origin servers using its own IP address in place of the client's IP address. This is the standard operation of forward proxies.
IP spoofing configures the proxy to use:
*
The IP address of the client when communicating with the origin server (basic IP spoofing), or
*
A specified IP address when communicating with the origin server (Range-based IP spoofing)
IP spoofing is sometimes used to support upstream activities that require the client IP address or a specific IP address. It also results in origin servers seeing the client or specified IP address instead of the proxy IP address (although the proxy IP address can be a specified IP address; more below).
IP spoofing features and restrictions:
*
Prior to 7.8.3, IP spoofing is supported for transparent proxy requests only.
*
IP spoofing is supported for HTTP and HTTPS traffic only.
*
When IP spoofing is enabled, it is applied to both HTTP and HTTPS. It cannot be configured for only one protocol.
*
HTTPS traffic is spoofed whether SSL support is enabled or not.
*
IP spoofing relies on the ARM.
*
IP spoofing is not supported with edge devices such as a Cisco ASA or PIX firewall. When this is attempted, requests made by Content Gateway using the client IP address are looped back to Content Gateway.
*
IP spoofing, supported with IPv6 in 7.8.4 and later, requires all IP addresses in the same routing path use the same format. That is, all IP addresses must be either IPv6 or IPv4. A combination of IPv6 and IPv4 addresses is not supported.
*
Prior to 7.8.4, IP spoofing does not support IPv6.
 
* 
Warning 
Deploying IP spoofing requires precise control of the routing paths on your network, overriding the normal routing process for traffic running on TCP port 80 and 443. When configured with either transparent or explicit proxy, return traffic must be routed back to the proxy.
For assistance, please contact your network equipment vendor or Websense Technical Support.
With IP spoofing enabled, traditional debugging tools such as traceroute and ping have limited utility.
 
* 
Important 
For a discussion of how the proxy kernel routing table impacts transparent proxy deployment, see the Solution Center article titled, Web sites in the Static or Dynamic bypass list fail to connect.
Range-based IP spoofing
Range-based IP spoofing supports groupings of clients (IP addresses and IP address ranges) that are mapped to specified IP addresses.
Among other uses, range-based IP spoofing facilitates:
*
The delivery of web-hosted services when the identification is by source IP address. For example, to receive a web-hosted service, an organization might be required to identify membership to the service via a known IP address.
*
IP address-based authentication with an external service when a unique IP address represents a group of users.
*
A way to configure traditional IP spoofing for some clients (source IP addresses that don't match any group are spoofed with their own IP address), range-based IP spoofing for some clients, and standard proxy IP address substitution for some clients. The latter is done by creating a group that specifies the proxy IP address.
 
* 
Important 
Range-based IP Spoofing is not supported on many older versions of Cisco IOS firmware. To avoid problems, update your Cisco device to the latest firmware.
Beginning with 7.8.4, IP Spoofing is supported for IPv6. However, range-based IP Spoofing is not supported for IPv6.
IP spoofing and the flow of traffic
The following describes the flow of HTTP and HTTPS traffic when IP spoofing is used with WCCP. Policy-based routing can be implemented to achieve the same results. The numbers in the diagram correspond to the actions described in the numbered list.
1.
A client request arrives at a routed port or Switched Virtual Interface (SVI) looking for traffic with a destination port of HTTP (80) or HTTPS (443).
2.
The switch redirects the client request to Content Gateway.
If needed, the proxy creates a connection to the origin server using the client IP address or specified IP address (range-based IP spoofing).
3.
The request is sent to the origin server through the switch, NAT and/or firewall.
4.
When the origin server response is returned, the IP packet has the substituted IP address as the destination (client or specified IP address).
5.
The origin server response arrives at a routed port or Switched Virtual Interface (SVI) looking for traffic with a source port of HTTP (80) or HTTPS (443). See the note below.
6.
The switch redirects the origin server response to the proxy, completing the proxy-to-origin server TCP connection.
7.
A proxy response to the client is generated and returned to the client on the proxy-to-client TCP connection.
 
* 
Note 
When IP spoofing is enabled, the proxy advertises a reverse service group for each enabled WCCP service. The reverse service group must be applied along the return path of the proxy.
WCCP service group IDs are user defined and must be programmed on the WCCP device(s) and in Content Gateway (see Configuring service groups on the WCCP device and Configuring service groups in the Content Gateway manager.
Following is a set of suggested definitions.
Service ID
Port
Traffic Type
0
destination port 80
HTTP
20
source port 80
HTTP
70
destination port 443
HTTPS (HTTPS support must be enabled)
90
source port 443
HTTPS
Policy-based routing (PBR) uses access control lists (ACL) to identify and redirect flows. In a PBR deployment, all of the configuration is done on the router and there is no corresponding Content Gateway configuration. PBR deployments have to redirect traffic returning from origin servers from port 80 and 443 to Content Gateway.
Configuring IP spoofing
Basic IP spoofing
From Websense Content Manager:
1.
Go to Configure > Networking > ARM > General.
2.
Under IP Spoofing, select Enabled.
3.
Click Apply.
4.
Click Restart on Configure > My Proxy > Basic > General.
 
* 
Warning 
The ARM is a critical component of Content Gateway that should never be disabled. If it is disabled while IP spoofing is enabled, client requests receive a "Cannot display Web page" error and an error message is recorded in /var/log/messages.
For information about configuring WCCP routers, see Configuring WCCP v2 routers.
Range-based IP spoofing
*
Client IP address ranges and their corresponding spoofed IP address are specified in a table.
*
The table is traversed top-down. The first match is applied.
*
Requests from clients that do not match an IP address in the table are spoofed with their own IP address (basic IP spoofing).
*
To create an entry that causes a set of IP addresses to appear to be coming from the proxy (as in ordinary forward proxy request handling), specify the desired client IP address range and then, in the Spoofed IP Address field, specify the proxy's Internet-facing IP address.
*
It is recommended that you create the smallest list that meets your needs. The list is traversed for every connection request. A very large list could contribute to latency. Use the performance charts (Monitor > Performance) to monitor proxy performance.
To create the range-based IP spoofing table:
1.
Go to Configure > Networking > ARM > General.
2.
Under IP Spoofing, select Enabled. Basic IP spoofing must be enabled to enable range-based IP spoofing.
3.
Under Range Based IP Spoofing, select Enabled.
4.
In the Client IP Addresses field, enter a comma separated list of individual IP addresses and/or IP address ranges.
In a range, the first IP address is separated from last with a hyphen. For example: 10.100.100.0-10.100.100.254
CIDR notation is allowed. Do not use spaces.
5.
In the Specified IP Address field, enter a single IP address.
6.
Click Apply to add the entry to the table.
Warning: If any of the formatting is invalid, all of the data in that row is cleared.
7.
To add a new row to the table, click Add Row.
8.
To put new entries into effect, click Apply and then restart Content Gateway.
To remove an entry from the IP spoofing table:
1.
Clear all the values in the row to be removed.
2.
Click Apply.
3.
To put the changes into effect, restart Content Gateway.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Additional Proxy Configuration > IP spoofing
Copyright 2016 Forcepoint LLC. All rights reserved.