Explicit proxy setup - quick start guide
search cancel

Explicit proxy setup - quick start guide

book

Article ID: 165731

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Workflow (summary of tasks)  to allow clients to connect to a ProxySG explicitly.

Resolution

  1. Power on the proxy, connect the null-modem serial cable, hit the <space> key 3 times when prompted to get the “setup menu”.
  2. Select that and follow the setup wizard,and enter the  networking basics - IP address, gateway, dns, and admin name and password.|
    Note: When prompted,  it is usually best to NOT secure the console port, unless you are 100% sure you will not lose the password. Also, there is usually no need to restrict admin access by IP, unless you are 100% sure you will always access from the same range or IP address.
  3. Now the proxy will confirm you are ready to access by https://x.x.x.x:8082
  4. Plug the proxy into the network where it can reach the default gateway you configured.
  5. Access it via the url as mentioned above, you should get the proxy GUI – 3 tabs, Configuration/ Statistics/ Maintenance
  6. To be ready for client browsers to use it, you have to set up an allow rule in policy.  For testing, you can use the default allow under Configuration > Policy > Policy options > default policy = allow – then click “apply changes”
  7. Test access via an internal client browser by adding the proxy's IP to the browser's proxy settings.  If this fails, you will have to check the following
    1. Ping the proxy from the client to check network connection, if ok then...
      1. Configure the proxy to intercept the traffic. Under Configuration > Services > Proxy Sservices  - look for the port number the client browser is sending the requests on – by default 80 or 8080 and usually defined as “Explicit HTTP”- and set it to “intercept”.  This is the most basic configuration possible to have a working explicit proxy.
  8. Most customers want one or more of these dependent features:
    1. Authentication - Define authentication server (usually your DC) under Configuration > authentication > realms – see below for the required policy.
      1. ICAP content filtering – define the proxy AV or icap scanner IP under Configuration > External services > ICAP – see below for the required policy.
      2. Web page categorizer, like Blue Coat Web Filter, or Websense or any supported content filtering vendor. You must enable the provider and have a valid license to download the database so that you can create policy and lookup the category for a Web request. For the configuration options, see Configuration > Content filtering > General.
  9. You are now ready to fine-tune your policy with the Visual Policy Manager (VPM) . Click Configuration > Policy > VPM > Launch.  Create the following policy:
    1. To authenticate users: Select Policy > Add Authentication layer > define source and destination (usually All), and action = force authenticate using the auth realm you created in 8.1.
      1. To send traffic for icap scanning:  Select Policy > Add web content layer > action = send to icap scan, using the icap object defined under 8.1.1.
      2. Create a web access layer to allow traffic according to source, destination (probably using the website categories as per 8.1.2), and then set the default action to Allow
      3. Set the default policy on the ProxySG to Allow requests. In the Management Console, Select  Configuration > Policy > Policy options and set the Default Proxy Policy to Allow.