Cisco Cisco Web Security Appliance S170 사용자 가이드
40
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
U S I N G T H E WE B S E C U R I T Y A P P L I A N C E I N A N E X I S T I N G P R O X Y
E NV I R O N M E N T
E NV I R O N M E N T
The Web Security appliance is a proxy-compatible device, and is easily deployed within an
existing proxy environment. However, it is recommended that you place the appliance
downstream from existing proxy servers, meaning closer to the clients.
existing proxy environment. However, it is recommended that you place the appliance
downstream from existing proxy servers, meaning closer to the clients.
You can configure the appliance to work with an existing, upstream proxy in the System Setup
Wizard or after the initial setup in the web interface. Use the Network > Upstream Proxies
page to enable an upstream proxy or to modify existing settings.
Wizard or after the initial setup in the web interface. Use the Network > Upstream Proxies
page to enable an upstream proxy or to modify existing settings.
When configuring an upstream proxy, you specify whether the existing proxy is in transparent
or explicit forward mode.
or explicit forward mode.
Transparent Upstream Proxy
If a transparent upstream proxy uses client IP addresses to manage user authentication and
access control, you must enable IP spoofing on the Web Security appliance to send client IP
addresses to the upstream proxy. Use the Security Services > Proxy Settings page to enable IP
spoofing.
access control, you must enable IP spoofing on the Web Security appliance to send client IP
addresses to the upstream proxy. Use the Security Services > Proxy Settings page to enable IP
spoofing.
When you enable IP spoofing and connect the appliance to a WCCP router, you must create
at least two WCCP services. For more information about configuring WCCP services when
you enable IP spoofing, see “IP Spoofing when Using WCCP” on page 477.
at least two WCCP services. For more information about configuring WCCP services when
you enable IP spoofing, see “IP Spoofing when Using WCCP” on page 477.
Explicit Forward Upstream Proxy
If the upstream proxy is in explicit forward mode, consider the following rules and guidelines:
• You must enter the IP address or host name and port of the upstream proxy.
• Consider whether the host name of the upstream proxy resolves to multiple IP addresses.
The Web Security appliance only queries the DNS server for the IP address at startup. If an
IP address is added or removed from that host name, the proxy must restart to resolve and
add the host name to the new set of IP addresses.
IP address is added or removed from that host name, the proxy must restart to resolve and
add the host name to the new set of IP addresses.
• If the upstream proxy manages user authentication or access control using proxy
authentication, you must enable the X-Forwarded-For header to send the client host
header to the upstream proxy. Use the Security Services > Proxy Settings page to enable
the X-Forwarded-For header setting.
header to the upstream proxy. Use the Security Services > Proxy Settings page to enable
the X-Forwarded-For header setting.
• If you want to send authentication credentials to an upstream proxy when the Web
Security appliance is deployed in explicit forward mode, you must configure the Web
Proxy to forward authorization request headers to a parent proxy server using the
Proxy to forward authorization request headers to a parent proxy server using the
advancedproxyconfig > authentication
CLI command.
Note — By default, the Web Proxy does not forward proxy authorization headers to
upstream proxy servers for security reasons.
upstream proxy servers for security reasons.
• If the upstream proxy manages client traffic using a PAC file or a login script, you must
update these files to use the IP address or host name of the Web Security appliance.