Cisco Cisco Web Security Appliance S160 Guía Del Usuario
5-17
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 5 Web Proxy Services
Bypassing the Web Proxy
you want to ensure traffic to that address is always allowed, you must also bypass
the address from the L4 Traffic Monitor. For more information, see
the address from the L4 Traffic Monitor. For more information, see
.
How the Proxy Bypass List Works
When the Web Proxy receives an HTTP or HTTPS request, it checks both the
source and destination IP address to see if it is in the proxy bypass list. If it is, the
packet is sent to the next hop on the network. (In some cases, the packet is sent
back to the transparent redirection device that redirected the packet, if the packet
arrived on a WCCP service using GRE.)
source and destination IP address to see if it is in the proxy bypass list. If it is, the
packet is sent to the next hop on the network. (In some cases, the packet is sent
back to the transparent redirection device that redirected the packet, if the packet
arrived on a WCCP service using GRE.)
The proxy bypass list works by matching the IP addresses of the request to an IP
address in the proxy bypass list. When names are entered in the bypass list, the
Web Proxy must resolve them to an IP address using DNS. The Web Proxy DNS
resolves hostnames differently than domain names:
address in the proxy bypass list. When names are entered in the bypass list, the
Web Proxy must resolve them to an IP address using DNS. The Web Proxy DNS
resolves hostnames differently than domain names:
•
Hostnames. Hostnames are resolved to IP addresses using DNS queries
immediately after they are entered into the proxy bypass list. (An example
hostname is www.example.com.)
immediately after they are entered into the proxy bypass list. (An example
hostname is www.example.com.)
•
Domain names. Domain names cannot be resolved to IP addresses using
DNS queries, so the Web Proxy uses DNS snooping using the T1 and T2
network interfaces. (An example domain name is example.com, and it
matches both www.example.com and webmail.example.com.)
DNS queries, so the Web Proxy uses DNS snooping using the T1 and T2
network interfaces. (An example domain name is example.com, and it
matches both www.example.com and webmail.example.com.)
Because of these differences, if the proxy bypass list contains only IP addresses
and hostnames, then the Web Proxy can easily match the IP address in the request
header to the IP addresses in the proxy bypass list.
and hostnames, then the Web Proxy can easily match the IP address in the request
header to the IP addresses in the proxy bypass list.
However, for the proxy bypass list to work with domain names, you must connect
both the T1 and T2 network interfaces (if using simplex mode) or just connect the
T1 network interface (if using duplex mode) to the network even if you do not
enable the L4 Traffic Monitor. However, the proxy bypass list only bypasses the
Web Proxy scanning. It does not bypass the L4 Traffic Monitor.
both the T1 and T2 network interfaces (if using simplex mode) or just connect the
T1 network interface (if using duplex mode) to the network even if you do not
enable the L4 Traffic Monitor. However, the proxy bypass list only bypasses the
Web Proxy scanning. It does not bypass the L4 Traffic Monitor.
Note
If the transparent redirection device is a WCCP router, some are intelligent
enough to not forward any other packets to the Web Proxy for the same session.
In this case, the packets are not physically sent to the Web Proxy for the rest of
the session and are truly bypassing it for the rest of the session.
enough to not forward any other packets to the Web Proxy for the same session.
In this case, the packets are not physically sent to the Web Proxy for the rest of
the session and are truly bypassing it for the rest of the session.