Cisco Cisco Web Security Appliance S690 User Guide
D E P L O Y I N G T H E W E B P R O X Y I N E X P L I C I T F O R W A R D M O D E
C H A P T E R 3 : D E P L O Y M E N T
33
D E P L OY I N G T H E WE B P R O X Y I N E X P L I C I T FO R WA R D M O D E
When the appliance is configured as an explicit forward proxy, client applications must be
configured to direct its traffic to the appliance. When you want to configure the Web Proxy in
explicit forward mode, you must configure the following components:
configured to direct its traffic to the appliance. When you want to configure the Web Proxy in
explicit forward mode, you must configure the following components:
• Client applications
• Appliance ports
Tip — If your organization needs to use explicit forward mode now, but might need
transparent mode in the future, consider deploying the Web Proxy in transparent mode and
then choosing L4 switch as the connection type. If you do not have an L4 switch, you can
connect the appliance to the network normally and the appliance will work in explicit
forward mode. When the Web Proxy is deployed in transparent mode, it can accept both
transparently redirected and explicitly forwarded transactions. To use transparent mode in the
future, you can connect the appliance to an L4 switch and it will work in transparent mode
without needing to change the Web Proxy mode later. However, it is easy to change the
deployment mode at any time on the Security Services > Proxy Settings page.
transparent mode in the future, consider deploying the Web Proxy in transparent mode and
then choosing L4 switch as the connection type. If you do not have an L4 switch, you can
connect the appliance to the network normally and the appliance will work in explicit
forward mode. When the Web Proxy is deployed in transparent mode, it can accept both
transparently redirected and explicitly forwarded transactions. To use transparent mode in the
future, you can connect the appliance to an L4 switch and it will work in transparent mode
without needing to change the Web Proxy mode later. However, it is easy to change the
deployment mode at any time on the Security Services > Proxy Settings page.
Configuring Client Applications
You must configure all client applications, such as web browsers and FTP clients, used on the
network to point to the Web Proxy. You can configure each client in the following ways:
network to point to the Web Proxy. You can configure each client in the following ways:
• Manual. Configure each client application to point the appliance Web Proxy by
specifying the appliance host name or IP address and the port number, such as 3128, used
for listening to data traffic.
for listening to data traffic.
• Automatic. Configure each client application to use a PAC file to detect the appliance
Web Proxy automatically. Then you can edit the PAC file to specify the appliance Web
Proxy information. PAC files work with web browsers only. For more information, see
“Working with PAC Files” on page 84.
Proxy information. PAC files work with web browsers only. For more information, see
“Working with PAC Files” on page 84.
Connecting Appliance Interfaces
You can connect the P1 interface or both the P1 and P2 interfaces to a network switch using
an Ethernet cable. You do not need special hardware, such as a particular switch or router. For
more information about how to connect the data interfaces (P1 and P2), see “Data Interfaces”
on page 30.
an Ethernet cable. You do not need special hardware, such as a particular switch or router. For
more information about how to connect the data interfaces (P1 and P2), see “Data Interfaces”
on page 30.
Testing an Explicit Forward Configuration
If you want to test an explicit forward proxy configuration, you can separate and forward
traffic from a subset of your network infrastructure. To individually test this configuration,
clients can forward traffic to the appliance from one web browser and connect to the Internet
using another web browser. This method also ensures an alternate path to the Internet while
testing.
traffic from a subset of your network infrastructure. To individually test this configuration,
clients can forward traffic to the appliance from one web browser and connect to the Internet
using another web browser. This method also ensures an alternate path to the Internet while
testing.