Cisco Cisco Web Security Appliance S660 Mode D'Emploi
80
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
B Y P A S S I N G T H E WE B P R O X Y
You can configure the Web Security appliance so client requests to or from particular
addresses bypass all processing by the Web Proxy. The proxy bypass list only works for
requests that are transparently redirected to the Web Proxy using an L4 switch or a WCCP v2
router. When the appliance is deployed in explicit forward mode, or when a client makes an
explicit request to the Web Proxy, the request is processed by the Web Proxy.
addresses bypass all processing by the Web Proxy. The proxy bypass list only works for
requests that are transparently redirected to the Web Proxy using an L4 switch or a WCCP v2
router. When the appliance is deployed in explicit forward mode, or when a client makes an
explicit request to the Web Proxy, the request is processed by the Web Proxy.
You might want to create a proxy bypass list to accomplish any of the following:
• Prevent the Web Proxy from interfering with non-HTTP-compliant (or proprietary)
protocols using HTTP ports that do not work properly when they connect to a proxy
server.
server.
• Ensure that traffic from a particular machine inside the network, such as a malware test
machine, bypasses the Web Proxy and all its built-in security protection.
Define the proxy bypass list on the Web Security Manager > Proxy Bypass page.
Figure 5-3 shows a sample proxy bypass list.
Figure 5-3 Proxy Bypass List
To include an address in the proxy bypass list, click Edit Settings. You can enter multiple
addresses separated by line breaks or commas. You can enter addresses using any of the
following formats:
addresses separated by line breaks or commas. You can enter addresses using any of the
following formats:
• IP address, such as 10.1.1.0
• CIDR address, such as 10.1.1.0/24
• Host name, such as crm.example.com
• domain names, such as example.com
Note — For the proxy bypass list to work with domain names, you need to connect the T1
and T2 network interfaces to the network even if you do not enable the L4 Traffic Monitor. For
more information, see “How the Proxy Bypass List Works” on page 81.
and T2 network interfaces to the network even if you do not enable the L4 Traffic Monitor. For
more information, see “How the Proxy Bypass List Works” on page 81.
When transactions bypass the Web Proxy, AsyncOS for Web records them in the proxy bypass
logs. For more information about logging, see “Working with Log Subscriptions” on page 428.
logs. For more information about logging, see “Working with Log Subscriptions” on page 428.
Note — If the proxy bypass list contains an address that is a known malware address
according to the L4 Traffic Monitor and the L4 Traffic Monitor sees a request for that address,
then the request will still be blocked by the L4 Traffic Monitor. If you want to ensure traffic to
that address is always allowed, you must also bypass the address from the L4 Traffic Monitor.
For more information, see “How the L4 Traffic Monitor Works” on page 387.
according to the L4 Traffic Monitor and the L4 Traffic Monitor sees a request for that address,
then the request will still be blocked by the L4 Traffic Monitor. If you want to ensure traffic to
that address is always allowed, you must also bypass the address from the L4 Traffic Monitor.
For more information, see “How the L4 Traffic Monitor Works” on page 387.