7/27/2019 Lan Bypass

1/10

MMEETTHHOODDSSFFOORRBBYYPPAASSSSIINNGG TTHHEEWWEEBB

SSEECCUURRIITTYYPPRROOXXYY

7/27/2019 Lan Bypass

2/10

2

eSoft Inc. 2012. eSoft, InstaGate, and ThreatWall are registered trademarks, and SoftPak and SoftPak Director aretrademarks of eSoft, Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Netscape and N etscape

Navigator are registered trademarks of Netscape Communications Corporation. Adobe, the Adobe logo, and Acrobat areregistered trademarks of Adobe Systems Inc. UNIX is a registered trademark of UNIX Systems Laboratories, Inc. All other

brand and/or product names are the property of their respective holders.

Portions of this software are covered under the GNU General Public License. You may freely obtain source code versions ofthe software covered by the GNU General Public License through the Internet at http://www.redhat.com. However, some

applications remain the property of their owners, and require their permission to redistribute. For more information, access theeSoft web site athttp://www.esoft.com.

Portions of this software are Copyright The Regents of the University of California. A complete copy of the copyrightnotice follows:

Copyright The Regents of the University of California. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the followingconditions are met:

Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in

the documentation and/or other materials provided with the distribution.

All advertising materials mentioning features or use of this software must display the following acknowledgment:This product includes software developed by the University of California, Berkeley and its contributors.

Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived fromthis software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS' AND ANY EXPRESS ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALLTHE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software are Copyright The Apache Group. A complete copy of the copyright notice follows:Copyright 1995-1997 The Apache Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following

conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimerin the documentation and/or other materials provided with the distribution.

All advertising materials mentioning features or use of this software must display the following acknowledgment:This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/) .

The names Apache Server and Apache Group must not be used to endorse or promote products derived from this softwarewithout prior written permission.

Redistributions of any form whatsoever must retain the following acknowledgment:

This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/) .

CCOOPPYYRRIIGGHHTTNNOOTTIICCEESS

http://www.esoft.com/http://www.esoft.com/http://www.esoft.com/http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.apache.org/)http://www.esoft.com/

7/27/2019 Lan Bypass

3/10

3

All InstaGate units come with the Web Security Proxy as standard built-in software. This proxy is

used to monitor and enforce appropriate Internet usage throughout your organization.

Bypassing the proxy server may be necessary for certain websites, hosts or applications.

Websites and applications may not support a proxy configuration for a number of reasons

related to security, an applications inability to support authentication or other reasons.

The following sections will describe how to bypass the Web Security Proxy on the InstaGate. This

is typically done with a combination of Firewall Policies and additional configuration the client

machine through Internet Options.

IMPORTANT NOTE: If IP-Based Web Filtering is being used on the device,

there is no way to bypass the proxy!! Any traffic that routes through the

unit will be redirected to the proxy for processing.

For additional information on the Web Security Proxy please review the information available athttp://support.esoft.com.

1.1 Destination BypassesThe following shows how to create a proxy bypass by destination. Meaning, when a client tries

to go to a specific destination, the proxy is bypassed. This method is most commonly used for

problems browsing to particular sites. For our example we will create a destination bypass to

the sitehttp://support.esoft.com.

1.2 Finding the Destination IP AddressThe first step in creating a destination bypass is to find the IP address for the site you want to

allow to bypass the proxy. This can be done through several methods, the easiest of which is to

simply ping the URL. From a client machine, go to Start and click on Run. In the Run field type

cmd to open a DOS prompt. Type ping support.esoft.com at the prompt as shown below and

hit enter. You should receive a message similar to the one below with the IP address thatsupport.esoft.com resolves to. This is the IP address you will need to use for your LAN firewall

rule. In our example this IP is 199.45.143.23.

PPAARRTTOONNEEBBYYPPAASSSSBBYYDDEESSTTIINNAATTIIOONN

IINNTTRROODDUUCCTTIIOONN

http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/

7/27/2019 Lan Bypass

4/10

4

1.3 Creating the LAN Firewall PolicyThe next step in setting up a destination bypass is to add a LAN firewall rule to allow the traffic

past the default proxy rule. First, access the Firewall Policies page by clicking the Firewall Policies

link under the Firewall Menu. Click the Add button to add a policy. After naming the policy, set

the Action to Accept and the Interface to LAN. It is best to leave logging disabled unless you are

troubleshooting dropped packets at the firewall.

7/27/2019 Lan Bypass

5/10

5

For a destination bypass you will typically leave the source address as the object ANY as in the

example above. However, there may be certain situations where you would need to specify a

network or host. Specific hosts or clients on that specific network would be the only machines

allowed to bypass the proxy for the destination IP you enter.

The destination address should be the IP address that we determined in section 1.2. Here you

can see weve selected Network and entered 199.45.143.23, the IP address of

support.esoft.com into the IP address field. Weve also selected the network 255.255.255.255 so

the proxy will only be bypassed by traffic going to the 199.45.143.23 IP address. Certain URLs

may resolve to more than one IP address so you may want to enter a subnet of IP addresses

here, or create multiple policies.

The last step in creating the firewall policy is to select the protocols you wish to be affected by

the policy. By default, most browsers including Internet Explorer will proxy HTTP, HTTPS and FTP

protocols. In our example we will only be using HTTP and HTTPS, so they have been selected.

1.4 Placement of the Bypass PolicyFirewall policies are acted on in order, from top to bottom. For the bypass to work, your firewall

rule must be placed above the default proxy rule labeled Web Access*. This can be done by

selecting your rule and using the UP button or using the drag and drop feature and clicking

Apply. Our final LAN firewall configuration appears below.

1.5 Adding Exceptions to the BrowserThe final step in creating a destination proxy bypass is to add an exception into the browser. The

following describes the process of adding an exception in Microsoft Internet Explorer. For other

browsers please refer to the documentation provided in the browser help menu.

The proxy settings for Internet Explorer are configured through Internet Options. If you are

configured for Local or Microsoft Active Directory authentication you should already be set to go

through the proxy. If you are in transparent mode this step is not necessary.

7/27/2019 Lan Bypass

6/10

6

First, access Internet Options either through the Control Panel or through Internet Explorer by

clicking Tools and selecting Internet Options. Click on the Connections tab, then LAN settings.

As in the above screenshot, you should see the box checked to Use a proxy server for your

LAN and have the Address box filled in. Click the Advanced button. In the exceptions box you

will enter the URL of the site you are trying to bypass the proxy for. For this example we simply

enter support.esoft.com. Click OK until you exit the Internet Options settings.

At this point you should be finished and anyone who has the exception set appropriately should

be bypassing the proxy for the URL. If the page is still not working after this, you should check

the Web Proxy log to verify the requests are no longer getting logged and no other URLs need to

be added.

2.1 Source BypassesPart two will demonstrate how to create a proxy bypass by source. When a client with a

particular source IP address tries to access a website via HTTP, HTTPS or FTP the connection will

then bypass the proxy. Machines with a source bypass should not have any proxy settings added

to the browser.

PPAARRTTTTWWOOBBYYPPAASSSSBBYYSSOOUURRCCEE

7/27/2019 Lan Bypass

7/10

7

2.2 Finding the Source IP AddressIn most situations you will want to statically assign an IP address to the machine you are

creating a source bypass for. This can be done by accessing the properties of your local areaconnection or wireless connection. Find the Internet Protocol (TCP/IP) adapter and choose

properties again. Here you can choose Use the following IP address and assign an address on

your local network. If you choose to use DHCP on your local network you can still create a

source bypass; however the bypass may stop working after the DHCP lease expires. With DHCP

the source address can be found by using ipconfig at a command prompt. For our example, we

will use the source IP as 10.10.10.10.

2.3 Creating the LAN Firewall PolicyThe LAN firewall policy for a source bypass is very similar to a destination bypass. With a sourcebypass you will need to specify the source rather than the destination. As you can see in the

example on the following page, we have chosen all of the same options with the exception of

two settings. We have specified the source address as 10.10.10.10 with the subnet as

255.255.255.255 and we have changed the destination address to ANY. Next, select the

protocols you wish to use for this policy, typically HTTP and HTTPS. Click Apply to save the

policy.

7/27/2019 Lan Bypass

8/10

8

2.4 Placement of the Bypass PolicyThe LAN firewall policy that you have created must be moved above the default proxy rule, just

as in part one. This can be done by selecting your rule and using the UP button or using the

drag and drop feature and clicking Apply. After applying the change the source bypass should

now work. Keep in mind that proxy settings should not be specified in the client machine.

3.1 Combination BypassesThere may be times when you will want to allow only a certain host, or certain group of hosts to

a certain destination while keeping all others proxied. For this situation you would use acombination policy which, in essence, combines the policies youve learned in part one and part

two. A source and destination IP will be used for the firewall rule.

3.2 Find the Source and Destination IP AddressesFor this type of policy we will be using both the source and destination IP. To find these IPs you

will use the same process as in part one and part two. Please refer back to section 1.2 for finding

the destination, or 2.2 for finding the source. In this example, we will use support.esoft.com or

199.45.143.23 for the destination and 10.10.10.10 for the source IP address.

3.3 Creating the LAN Firewall PolicyThe LAN firewall policy in this example is basically a combination of the destination and source

bypass policies. After naming the rule and selecting Accept for the action you will need to set

the source IP address.

PPAARRTTTTHHRREEEECCOOMMBBIINNAATTIIOONNBBYYPPAASSSSEESS

7/27/2019 Lan Bypass

9/10

9

As shown, we have selected Network and specified the source address as 10.10.10.10 andsubnet as 255.255.255.255. This will ensure that only 10.10.10.10 is allowed to bypass the

proxy.

Next, specify the destination you wish to bypass the proxy for. Here you can see weve selected

Network and entered 199.45.143.23. Weve also selected the subnet 255.255.255.255 so only

traffic going to 199.45.143.23 from a source 10.10.10.10 will bypass the proxy. To finish the

policy, select the protocols you wish to use for this policy, typically HTTP and HTTPS. Click Apply

to save the policy.

3.4 Placement of the Bypass PolicyAs with the other policies, this firewall policy must be moved above the default proxy rule. This

can be done by selecting your rule and using the UP button or using the drag and drop feature

and clicking Apply.

7/27/2019 Lan Bypass

10/10

10

After applying the change the source bypass should now work if you do not have proxy settings

specified in your browser (transparent proxy). If you do have proxy settings assigned, follow the

steps in section 1.5 to add an exception into the proxy settings.

If there are still problems loading the site usually the page is attempting to access more than

one URL. You will want to watch the Web Proxy log to see what web traffic is being created

when you visit the site and adjust your policies and exceptions as necessary. Also, keep in mind

that a URL may resolve to more than one IP address depending on the DNS server that is being

used. Your policies may need to be configured to allow a network range or more than one IP

address.

For other applications such as java applets and different types of software, it may be necessary

to enter the proxy settings and exceptions into the software. Refer to the documentation on

your application for specifics. If you need assistance in creating a proxy bypass please open a

ticket with eSoft Technical Support at 877-754-2986 or online athttp://support.esoft.com.

TTRROOUUBBLLEESSHHOOOOTTIINNGG

http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/http://support.esoft.com/