Cisco Cisco Web Security Appliance S170 사용자 가이드
5-12
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 5 Web Proxy Services
Bypassing the Web Proxy
Figure 5-1
Proxy Bypass List
To include an address in the proxy bypass list, click Edit Proxy Bypass Settings. You can enter multiple
addresses separated by line breaks or commas. You can enter addresses using any of the following
formats:
addresses separated by line breaks or commas. You can enter addresses using any of the following
formats:
•
IP address, such as 10.1.1.0
•
CIDR address, such as 10.1.1.0/24
•
Hostname, such as crm.example.com
•
domain names, such as example.com
Note
For the proxy bypass list to work with domain names, you need to connect the T1 and T2 network
interfaces to the network even if you do not enable the L4 Traffic Monitor. For more information, see
interfaces to the network even if you do not enable the L4 Traffic Monitor. For more information, see
.
When transactions bypass the Web Proxy, AsyncOS for Web records them in the proxy bypass logs. For
more information about logging, see
more information about logging, see
Note
If the proxy bypass list contains an address that is a known malware address according to the L4 Traffic
Monitor and the L4 Traffic Monitor sees a request for that address, then the request will still be blocked
by the L4 Traffic Monitor. If you want to ensure traffic to that address is always allowed, you must also
bypass the address from the L4 Traffic Monitor. For more information, see
Monitor and the L4 Traffic Monitor sees a request for that address, then the request will still be blocked
by the L4 Traffic Monitor. If you want to ensure traffic to that address is always allowed, you must also
bypass the address from the L4 Traffic Monitor. For more information, see
Understanding How the Proxy Bypass List Works
When the Web Proxy receives an HTTP or HTTPS request, it checks both the source and destination IP
address to see if it is in the proxy bypass list. If it is, the packet is sent to the next hop on the network.
(In some cases, the packet is sent back to the transparent redirection device that redirected the packet, if
the packet arrived on a WCCP service using GRE.)
address to see if it is in the proxy bypass list. If it is, the packet is sent to the next hop on the network.
(In some cases, the packet is sent back to the transparent redirection device that redirected the packet, if
the packet arrived on a WCCP service using GRE.)
The proxy bypass list works by matching the IP addresses of the request to an IP address in the proxy
bypass list. When names are entered in the bypass list, the Web Proxy must resolve them to an IP address
using DNS. The Web Proxy DNS resolves hostnames differently than domain names:
bypass list. When names are entered in the bypass list, the Web Proxy must resolve them to an IP address
using DNS. The Web Proxy DNS resolves hostnames differently than domain names:
•
Hostnames. Hostnames are resolved to IP addresses using DNS queries immediately after they are
entered into the proxy bypass list. (An example hostname is www.example.com.)
entered into the proxy bypass list. (An example hostname is www.example.com.)
•
Domain names. Domain names cannot be resolved to IP addresses using DNS queries, so the Web
Proxy uses DNS snooping using the T1 and T2 network interfaces. (An example domain name is
example.com, and it matches both www.example.com and webmail.example.com.)
Proxy uses DNS snooping using the T1 and T2 network interfaces. (An example domain name is
example.com, and it matches both www.example.com and webmail.example.com.)