Cisco Cisco ScanSafe Web Security Livre blanc
Cisco CWS
– Standalone Deployment Guide
8
Test
Deploy
Prepare
specific DNS suffix on your client machines.
Function FindProxyForURL
(
url, host
) {
Var hostIP=DNSResolve
(
host
);
// If the requested website is hosted within the internal network
If (
isPlainHostName
(
host
)
||
//
shEXPMatch(host, “*.local”) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
))
return
“DIRECT”;
// If the hostname matches, send direct.
If (
DNSDomainIs(host, “vpn.dmain.com”
) ||
DNSDomainIs(host, “extranet.domain.com”
) ||
DNSDomainIs(host, “abcdomain.com
))
return
“DIRECT”;
// If the URL or protocol matches, send direct,
If (
shExpMatch(url, “*.domainabc.com*”
) ||
shExpMatch
(
url, “*.domainXYZ.com:*/*”
) ||
url.substring
(
0, 4
)
==”ftp:”
)
return
“DIRECT”;
// If the IP address of the local machine is withing a defined
// subnet, send to a specific proxy.
// if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
// subnet, send to a specific proxy.
// if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return
“PROXY 1.2.3.4:8080”;
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return
“PROXY 1.2.3.4:8080; PROXY 5.6.7.8:8080”;
Next is a set of isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
)
functions to evaluate the defined
variable, hostIP against the RFC 1918 subnets and loopback. If the value of hostIP matches any of the
four subnets, the function will return True. The logic of this
four subnets, the function will return True. The logic of this
If
statement is designed to identify a web
request intended for a host residing inside the local network and allow that traffic to originate from the
client rather than a tower.
client rather than a tower.
The next
If
statement is completely commented out. To activate it, remove all the //. This
If
statement is
only performing dsnDomainIs matches, evaluating the host variable against static host names. You may
provide a fully qualified domain name if you would like web traffic to originate from the client destined for
that domain, or use a DNS host name to be more specific such as cnn.com or images.google.com.
provide a fully qualified domain name if you would like web traffic to originate from the client destined for
that domain, or use a DNS host name to be more specific such as cnn.com or images.google.com.
Activate the next
If
statement in order to configure it. Notice this
If
statement is
If
(shExpMatch(url,
“*.domainabc.com*”). It evaluates URL strings to see if they are ftp requests. Due to the nature of
wild cards, use caution when creating shExpMatch. Make sure to at least include the fully qualified
domain name and the leading period so as not to match erroneous fully qualified domain names.
wild cards, use caution when creating shExpMatch. Make sure to at least include the fully qualified
domain name and the leading period so as not to match erroneous fully qualified domain names.