Cisco Cisco Web Security Appliance S160 Guía Del Usuario
3-11
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 3 Deployment
Deploying the L4 Traffic Monitor
You can configure the appliance to work with an existing, upstream proxy in the System Setup Wizard
or after the initial setup in the web interface. Use the Network > Upstream Proxies page to enable an
upstream proxy or to modify existing settings.
or after the initial setup in the web interface. Use the Network > Upstream Proxies page to enable an
upstream proxy or to modify existing settings.
When configuring an upstream proxy, you specify whether the existing proxy is in transparent or explicit
forward mode.
forward mode.
Transparent Upstream Proxy
If a transparent upstream proxy uses client IP addresses to manage user authentication and access
control, you must enable IP spoofing on the Web Security appliance to send client IP addresses to the
upstream proxy. Use the Security Services > Web Proxy page to enable IP spoofing.
control, you must enable IP spoofing on the Web Security appliance to send client IP addresses to the
upstream proxy. Use the Security Services > Web Proxy page to enable IP spoofing.
When you enable IP spoofing and connect the appliance to a WCCP router, you must create at least two
WCCP services. For more information about configuring WCCP services when you enable IP spoofing,
see
WCCP services. For more information about configuring WCCP services when you enable IP spoofing,
see
.
Explicit Forward Upstream Proxy
If the upstream proxy is in explicit forward mode, consider the following rules and guidelines:
•
You must enter the IP address or hostname and port of the upstream proxy.
•
Consider whether the hostname of the upstream proxy resolves to multiple IP addresses. The Web
Security appliance only queries the DNS server for the IP address at startup. If an IP address is added
or removed from that hostname, the proxy must restart to resolve and add the hostname to the new
set of IP addresses.
Security appliance only queries the DNS server for the IP address at startup. If an IP address is added
or removed from that hostname, the proxy must restart to resolve and add the hostname to the new
set of IP addresses.
•
If the upstream proxy manages user authentication or access control using proxy authentication, you
must enable the X-Forwarded-For header to send the client host header to the upstream proxy. Use
the Security Services > Web Proxy page to enable the X-Forwarded-For header setting.
must enable the X-Forwarded-For header to send the client host header to the upstream proxy. Use
the Security Services > Web Proxy page to enable the X-Forwarded-For header setting.
•
If you want to send authentication credentials to an upstream proxy when the Web Security
appliance is deployed in explicit forward mode, you must configure the Web Proxy to forward
authorization request headers to a parent proxy server using the
appliance is deployed in explicit forward mode, you must configure the Web Proxy to forward
authorization request headers to a parent proxy server using the
advancedproxyconfig >
authentication
CLI command.
Note
By default, the Web Proxy does not forward proxy authorization headers to upstream proxy
servers for security reasons.
servers for security reasons.
•
If the upstream proxy manages client traffic using a PAC file or a login script, you must update these
files to use the IP address or hostname of the Web Security appliance.
files to use the IP address or hostname of the Web Security appliance.
Deploying the L4 Traffic Monitor
L4 Traffic Monitor (L4TM) deployment is independent of the Web Proxy deployment. When connecting
and deploying the L4 Traffic Monitor, consider the following:
and deploying the L4 Traffic Monitor, consider the following:
•
Physical connection. You can choose how to connect the L4 Traffic Monitor to the network. For
more information, see
more information, see