Upload
zulhilme-mohamad
View
217
Download
0
Embed Size (px)
Citation preview
7/27/2019 Lan Bypass
1/10
MMEETTHHOODDSSFFOORRBBYYPPAASSSSIINNGG TTHHEEWWEEBB
SSEECCUURRIITTYYPPRROOXXYY
7/27/2019 Lan Bypass
2/10
2
eSoft Inc. 2012. eSoft, InstaGate, and ThreatWall are registered trademarks, and SoftPak and SoftPak Director aretrademarks of eSoft, Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Netscape and N etscape
Navigator are registered trademarks of Netscape Communications Corporation. Adobe, the Adobe logo, and Acrobat areregistered trademarks of Adobe Systems Inc. UNIX is a registered trademark of UNIX Systems Laboratories, Inc. All other
brand and/or product names are the property of their respective holders.
Portions of this software are covered under the GNU General Public License. You may freely obtain source code versions ofthe software covered by the GNU General Public License through the Internet at http://www.redhat.com. However, some
applications remain the property of their owners, and require their permission to redistribute. For more information, access theeSoft web site athttp://www.esoft.com.
Portions of this software are Copyright The Regents of the University of California. A complete copy of the copyrightnotice follows:
Copyright The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the followingconditions are met:
Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the distribution.
All advertising materials mentioning features or use of this software must display the following acknowledgment:This product includes software developed by the University of California, Berkeley and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived fromthis software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS' AND ANY EXPRESS ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALLTHE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions of this software are Copyright The Apache Group. A complete copy of the copyright notice follows:Copyright 1995-1997 The Apache Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimerin the documentation and/or other materials provided with the distribution.
All advertising materials mentioning features or use of this software must display the following acknowledgment:This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/) .
The names Apache Server and Apache Group must not be used to endorse or promote products derived from this softwarewithout prior written permission.
Redistributions of any form whatsoever must retain the following acknowledgment:
This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/) .
CCOOPPYYRRIIGGHHTTNNOOTTIICCEESS
http://www.esoft.com/http://www.esoft.com/http://www.esoft.com/http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.esoft.com/7/27/2019 Lan Bypass
3/10
3
All InstaGate units come with the Web Security Proxy as standard built-in software. This proxy is
used to monitor and enforce appropriate Internet usage throughout your organization.
Bypassing the proxy server may be necessary for certain websites, hosts or applications.
Websites and applications may not support a proxy configuration for a number of reasons
related to security, an applications inability to support authentication or other reasons.
The following sections will describe how to bypass the Web Security Proxy on the InstaGate. This
is typically done with a combination of Firewall Policies and additional configuration the client
machine through Internet Options.
IMPORTANT NOTE: If IP-Based Web Filtering is being used on the device,
there is no way to bypass the proxy!! Any traffic that routes through the
unit will be redirected to the proxy for processing.
For additional information on the Web Security Proxy please review the information available athttp://support.esoft.com.
1.1 Destination BypassesThe following shows how to create a proxy bypass by destination. Meaning, when a client tries
to go to a specific destination, the proxy is bypassed. This method is most commonly used for
problems browsing to particular sites. For our example we will create a destination bypass to
the sitehttp://support.esoft.com.
1.2 Finding the Destination IP AddressThe first step in creating a destination bypass is to find the IP address for the site you want to
allow to bypass the proxy. This can be done through several methods, the easiest of which is to
simply ping the URL. From a client machine, go to Start and click on Run. In the Run field type
cmd to open a DOS prompt. Type ping support.esoft.com at the prompt as shown below and
hit enter. You should receive a message similar to the one below with the IP address thatsupport.esoft.com resolves to. This is the IP address you will need to use for your LAN firewall
rule. In our example this IP is 199.45.143.23.
PPAARRTTOONNEEBBYYPPAASSSSBBYYDDEESSTTIINNAATTIIOONN
IINNTTRROODDUUCCTTIIOONN
http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/7/27/2019 Lan Bypass
4/10
4
1.3 Creating the LAN Firewall PolicyThe next step in setting up a destination bypass is to add a LAN firewall rule to allow the traffic
past the default proxy rule. First, access the Firewall Policies page by clicking the Firewall Policies
link under the Firewall Menu. Click the Add button to add a policy. After naming the policy, set
the Action to Accept and the Interface to LAN. It is best to leave logging disabled unless you are
troubleshooting dropped packets at the firewall.
7/27/2019 Lan Bypass
5/10
5
For a destination bypass you will typically leave the source address as the object ANY as in the
example above. However, there may be certain situations where you would need to specify a
network or host. Specific hosts or clients on that specific network would be the only machines
allowed to bypass the proxy for the destination IP you enter.
The destination address should be the IP address that we determined in section 1.2. Here you
can see weve selected Network and entered 199.45.143.23, the IP address of
support.esoft.com into the IP address field. Weve also selected the network 255.255.255.255 so
the proxy will only be bypassed by traffic going to the 199.45.143.23 IP address. Certain URLs
may resolve to more than one IP address so you may want to enter a subnet of IP addresses
here, or create multiple policies.
The last step in creating the firewall policy is to select the protocols you wish to be affected by
the policy. By default, most browsers including Internet Explorer will proxy HTTP, HTTPS and FTP
protocols. In our example we will only be using HTTP and HTTPS, so they have been selected.
1.4 Placement of the Bypass PolicyFirewall policies are acted on in order, from top to bottom. For the bypass to work, your firewall
rule must be placed above the default proxy rule labeled Web Access*. This can be done by
selecting your rule and using the UP button or using the drag and drop feature and clicking
Apply. Our final LAN firewall configuration appears below.
1.5 Adding Exceptions to the BrowserThe final step in creating a destination proxy bypass is to add an exception into the browser. The
following describes the process of adding an exception in Microsoft Internet Explorer. For other
browsers please refer to the documentation provided in the browser help menu.
The proxy settings for Internet Explorer are configured through Internet Options. If you are
configured for Local or Microsoft Active Directory authentication you should already be set to go
through the proxy. If you are in transparent mode this step is not necessary.
7/27/2019 Lan Bypass
6/10
6
First, access Internet Options either through the Control Panel or through Internet Explorer by
clicking Tools and selecting Internet Options. Click on the Connections tab, then LAN settings.
As in the above screenshot, you should see the box checked to Use a proxy server for your
LAN and have the Address box filled in. Click the Advanced button. In the exceptions box you
will enter the URL of the site you are trying to bypass the proxy for. For this example we simply
enter support.esoft.com. Click OK until you exit the Internet Options settings.
At this point you should be finished and anyone who has the exception set appropriately should
be bypassing the proxy for the URL. If the page is still not working after this, you should check
the Web Proxy log to verify the requests are no longer getting logged and no other URLs need to
be added.
2.1 Source BypassesPart two will demonstrate how to create a proxy bypass by source. When a client with a
particular source IP address tries to access a website via HTTP, HTTPS or FTP the connection will
then bypass the proxy. Machines with a source bypass should not have any proxy settings added
to the browser.
PPAARRTTTTWWOOBBYYPPAASSSSBBYYSSOOUURRCCEE
7/27/2019 Lan Bypass
7/10
7
2.2 Finding the Source IP AddressIn most situations you will want to statically assign an IP address to the machine you are
creating a source bypass for. This can be done by accessing the properties of your local areaconnection or wireless connection. Find the Internet Protocol (TCP/IP) adapter and choose
properties again. Here you can choose Use the following IP address and assign an address on
your local network. If you choose to use DHCP on your local network you can still create a
source bypass; however the bypass may stop working after the DHCP lease expires. With DHCP
the source address can be found by using ipconfig at a command prompt. For our example, we
will use the source IP as 10.10.10.10.
2.3 Creating the LAN Firewall PolicyThe LAN firewall policy for a source bypass is very similar to a destination bypass. With a sourcebypass you will need to specify the source rather than the destination. As you can see in the
example on the following page, we have chosen all of the same options with the exception of
two settings. We have specified the source address as 10.10.10.10 with the subnet as
255.255.255.255 and we have changed the destination address to ANY. Next, select the
protocols you wish to use for this policy, typically HTTP and HTTPS. Click Apply to save the
policy.
7/27/2019 Lan Bypass
8/10
8
2.4 Placement of the Bypass PolicyThe LAN firewall policy that you have created must be moved above the default proxy rule, just
as in part one. This can be done by selecting your rule and using the UP button or using the
drag and drop feature and clicking Apply. After applying the change the source bypass should
now work. Keep in mind that proxy settings should not be specified in the client machine.
3.1 Combination BypassesThere may be times when you will want to allow only a certain host, or certain group of hosts to
a certain destination while keeping all others proxied. For this situation you would use acombination policy which, in essence, combines the policies youve learned in part one and part
two. A source and destination IP will be used for the firewall rule.
3.2 Find the Source and Destination IP AddressesFor this type of policy we will be using both the source and destination IP. To find these IPs you
will use the same process as in part one and part two. Please refer back to section 1.2 for finding
the destination, or 2.2 for finding the source. In this example, we will use support.esoft.com or
199.45.143.23 for the destination and 10.10.10.10 for the source IP address.
3.3 Creating the LAN Firewall PolicyThe LAN firewall policy in this example is basically a combination of the destination and source
bypass policies. After naming the rule and selecting Accept for the action you will need to set
the source IP address.
PPAARRTTTTHHRREEEECCOOMMBBIINNAATTIIOONNBBYYPPAASSSSEESS
7/27/2019 Lan Bypass
9/10
9
As shown, we have selected Network and specified the source address as 10.10.10.10 andsubnet as 255.255.255.255. This will ensure that only 10.10.10.10 is allowed to bypass the
proxy.
Next, specify the destination you wish to bypass the proxy for. Here you can see weve selected
Network and entered 199.45.143.23. Weve also selected the subnet 255.255.255.255 so only
traffic going to 199.45.143.23 from a source 10.10.10.10 will bypass the proxy. To finish the
policy, select the protocols you wish to use for this policy, typically HTTP and HTTPS. Click Apply
to save the policy.
3.4 Placement of the Bypass PolicyAs with the other policies, this firewall policy must be moved above the default proxy rule. This
can be done by selecting your rule and using the UP button or using the drag and drop feature
and clicking Apply.
7/27/2019 Lan Bypass
10/10
10
After applying the change the source bypass should now work if you do not have proxy settings
specified in your browser (transparent proxy). If you do have proxy settings assigned, follow the
steps in section 1.5 to add an exception into the proxy settings.
If there are still problems loading the site usually the page is attempting to access more than
one URL. You will want to watch the Web Proxy log to see what web traffic is being created
when you visit the site and adjust your policies and exceptions as necessary. Also, keep in mind
that a URL may resolve to more than one IP address depending on the DNS server that is being
used. Your policies may need to be configured to allow a network range or more than one IP
address.
For other applications such as java applets and different types of software, it may be necessary
to enter the proxy settings and exceptions into the software. Refer to the documentation on
your application for specifics. If you need assistance in creating a proxy bypass please open a
ticket with eSoft Technical Support at 877-754-2986 or online athttp://support.esoft.com.
TTRROOUUBBLLEESSHHOOOOTTIINNGG
http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/