Cisco Cisco Web Security Appliance S660 Guida Utente
H O W T H E P R O X Y B Y P A S S L I S T W O R K S
C H A P T E R 5 : W E B P R O X Y S E R V I C E S
81
How the Proxy Bypass List Works
When the Web Proxy receives an HTTP or HTTPS request, it checks both the source and
destination IP address to see if it is in the proxy bypass list. If it is, the packet is sent to the next
hop on the network. (In some cases, the packet is sent back to the transparent redirection
device that redirected the packet, if the packet arrived on a WCCP service using GRE.)
destination IP address to see if it is in the proxy bypass list. If it is, the packet is sent to the next
hop on the network. (In some cases, the packet is sent back to the transparent redirection
device that redirected the packet, if the packet arrived on a WCCP service using GRE.)
The proxy bypass list works by matching the IP addresses of the request to an IP address in the
proxy bypass list. When names are entered in the bypass list, the Web Proxy must resolve
them to an IP address using DNS. The Web Proxy DNS resolves host names differently than
domain names:
proxy bypass list. When names are entered in the bypass list, the Web Proxy must resolve
them to an IP address using DNS. The Web Proxy DNS resolves host names differently than
domain names:
• Host names. Host names are resolved to IP addresses using DNS queries immediately
after they are entered into the proxy bypass list. (An example host name is
www.example.com.)
www.example.com.)
• Domain names. Domain names cannot be resolved to IP addresses using DNS queries, so
the Web Proxy uses DNS snooping using the T1 and T2 network interfaces. (An example
domain name is example.com, and it matches both www.example.com and
webmail.example.com.)
domain name is example.com, and it matches both www.example.com and
webmail.example.com.)
Because of these differences, if the proxy bypass list contains only IP addresses and host
names, then the Web Proxy can easily match the IP address in the request header to the IP
addresses in the proxy bypass list.
names, then the Web Proxy can easily match the IP address in the request header to the IP
addresses in the proxy bypass list.
However, for the proxy bypass list to work with domain names, you must connect both the T1
and T2 network interfaces (if using simplex mode) or just connect the T1 network interface (if
using duplex mode) to the network even if you do not enable the L4 Traffic Monitor. However,
the proxy bypass list only bypasses the Web Proxy scanning. It does not bypass the L4 Traffic
Monitor.
and T2 network interfaces (if using simplex mode) or just connect the T1 network interface (if
using duplex mode) to the network even if you do not enable the L4 Traffic Monitor. However,
the proxy bypass list only bypasses the Web Proxy scanning. It does not bypass the L4 Traffic
Monitor.
Note — If the transparent redirection device is a WCCP router, some are intelligent enough to
not forward any other packets to the Web Proxy for the same session. In this case, the packets
are not physically sent to the Web Proxy for the rest of the session and are truly bypassing it
for the rest of the session.
not forward any other packets to the Web Proxy for the same session. In this case, the packets
are not physically sent to the Web Proxy for the rest of the session and are truly bypassing it
for the rest of the session.
Using WCCP with the Proxy Bypass List
When the Web Security appliance is configured to use a WCCP v2 router, you must ensure
that all WCCP services defined in the Web Security appliance use the same forwarding and
return method (either L2 or GRE) to work properly with the proxy bypass list. If the forwarding
and return methods do not match, some WCCP enabled routers will act inconsistently.
that all WCCP services defined in the Web Security appliance use the same forwarding and
return method (either L2 or GRE) to work properly with the proxy bypass list. If the forwarding
and return methods do not match, some WCCP enabled routers will act inconsistently.