Go to the table of contents Go to the previous page Go to the next page View or print as PDF
IP spoofing
Help | Content Gateway | Version 8.1.x
Ordinarily, when Content Gateway proxies requests for clients it communicates with origin servers using its own IP address in place of the client's IP address. This is the standard operation of forward proxies.
IP spoofing configures the proxy to use:
*
Or
*
IP spoofing is sometimes used to support upstream activities that require the client IP address or a specific IP address. It also results in origin servers seeing the client or specified IP address instead of the proxy IP address (although the proxy IP address can be a specified IP address; more below).
IP spoofing features and restrictions:
*
*
*
*
*
*
IP spoofing is not supported with edge devices such as a Cisco ASA or PIX firewall. When this is attempted, requests made by Content Gateway using the client IP address are looped back to Content Gateway.
*
 
Warning 
 
Important 
Range-based IP spoofing
Range-based IP spoofing supports groupings of clients (IP addresses and IP address ranges) that are mapped to specified IP addresses.
Among other uses, range-based IP spoofing facilitates:
*
*
*
 
Important 
IP spoofing and the flow of traffic
The following describes the flow of HTTP and HTTPS traffic when IP spoofing is used with WCCP. Policy-based routing can be implemented to achieve the same results. The numbers in the diagram correspond to the actions described in the numbered list.
1.
2.
If needed, the proxy creates a connection to the origin server using the client IP address or specified IP address (range-based IP spoofing).
3.
4.
5.
6.
7.
 
Note 
WCCP service group IDs are user defined and must be programmed on the WCCP device(s) and in Content Gateway (see Configuring service groups on the WCCP device and Configuring service groups in the Content Gateway manager.
Following is a set of suggested definitions.
Policy-based routing (PBR) uses access control lists (ACL) to identify and redirect flows. In a PBR deployment, all of the configuration is done on the router and there is no corresponding Content Gateway configuration. PBR deployments have to redirect traffic returning from origin servers from port 80 and 443 to Content Gateway.
Configuring IP spoofing
Basic IP spoofing
From Content Gateway manager:
1.
Go to Configure > Networking > ARM > General.
2.
Under IP Spoofing, select Enabled.
3.
Click Apply.
4.
Click Restart on Configure > My Proxy > Basic > General.
5.
Contact your network equipment vendor or Websense Technical Support for any needed assistance.
 
Warning 
For information about configuring WCCP routers, see Configuring WCCP v2 routers.
Range-based IP spoofing
 
Important 
*
*
*
*
*
To create the range-based IP spoofing table:
1.
Go to Configure > Networking > ARM > General.
2.
Under IP Spoofing, select Enabled. Basic IP spoofing must be enabled to enable range-based IP spoofing.
3.
Under Range Based IP Spoofing, select Enabled.
4.
In the Client IP Addresses field, enter a comma separated list of individual IP addresses and/or IP address ranges.
In a range, the first IP address is separated from last with a hyphen. For example: 10.100.100.0-10.100.100.254
CIDR notation is allowed. Do not use spaces.
The Client IP Address list supports a maximum of:
*
*
5.
In the Specified IP Address field, enter a single IP address.
6.
Click Apply to add the entry to the table.
Warning: If any of the formatting is invalid, all of the data in that row is cleared.
7.
8.
To put new entries into effect, click Apply and then restart Content Gateway.
9.
Contact your network equipment vendor or Websense Technical Support for any needed assistance.
To remove an entry from the IP spoofing table:
1.
2.
Click Apply.
3.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2016 Forcepoint LLC. All rights reserved.