Connectivity: About Proxy Forwarding

The Proxy Forwarding access method allows you to leverage an on-premises Symantec Secure Web Gateway (Blue Coat ProxySG or ASG appliance) in conjunction with the Web Security Service to achieve web security without physical product scaling.

Common Use Cases

I already have the on-premises appliances installed in various locations, but I want to use the Web Security Service to extend some security features. For example, I want to use the Web Security Service Content Filtering policy editor to define a destination rule that applies to multiple locations (appliance egress IP addresses).
I have historically used appliances to perform web security tasks, but I want to migrate to the cloud. This will take some time and I want to carefully transition before removing appliances.
I want to move some web security tasks to the cloud, but I want some tasks to remain local. For example, caching or authentication with established realms.
The cloud provides a more economical way to perform malware scanning and reporting versus expanding on-premises infrastructure.

Proxy-Based Overviews

The Proxy Forwarding connectivity method is the native deployment solution. In addition, other proxy-based solutions might also be appropriate for your environment.

About Symantec Secure Web Gateway Appliance Forwarding

Configure an existing Symantec Secure Web Gateway (ProxySG or ASG appliance) to forward non-internal web traffic to the SymantecWeb Security Service. AES encryption provides central yet secure reporting solution for all locations.

The following topography demonstrates using the Auth Connector for user/group affiliation.

Proxy Fwd topography

1—The gateway ProxySG appliance accepts requests from a downstream proxy or directly from clients.

2—Host forwarding configuration on the gateway ProxySG appliance routes requests to the Web Security Service over ports 8080 (HTTP proxy for HTTPS and SSL traffic) and 8443 (unintercepted SSL traffic plus user/group header information). If the ProxySG appliance is running SGOS 6.4.x or later, you can configure it to intercept some SSL traffic locally; you can then create an additional forwarding host on port 8084.

The gateway ProxySG sends the user identity and group affiliation (added to the request).

3—The Symantec Auth Connector application allows the Web Security Service to communicate with your Active Directory and provide the user/group information to the service for use in custom policy creation. See Enable User/Group Names Custom Policy (AuthConnector).

If the Primary Active Directory goes down and you have a Backup Active Directory/Auth Connector configuration, seamless failover occurs.

4—The Web Security Service configuration and policy extracts the user information from the request to complete transaction authentication and sends the content request to the Web.

Why Select This Method?

Benefits—

Your Secure Web Gateway solution already implements proxies.
Supports using any standard method to route user web traffic: PAC file (explicit proxy), browser settings, WCCP, and inline.
Enables you to leverage policy-based routing and route selected groups to the Web Security Service.
Hybrid—Sending to cloud for proper GEO IP identification and data center utilization. The ProxySG/ASG appliance determines authentication and policy decisions, but the Web Security Service routes traffic to identified localized IP.

Select another method if—

Your network egress is not a static IP address or it requires traversing a NAT devices. See Connectivity: Explicit Over IPsec.
You require proxy-based RADIUS or policy substitution. The Web Security Service does not support either.

Is this the method you require?

See Connectivity: Symantec Appliance Proxy Forwarding for a series of recommended settings and best practices.

About Symantec Management Center and Universal Policy Enforcement

Note: This is not a traffic connectivity method; it is for informational purposes relating to the proxies.

In a solution called Universal Policy Enforcement, you use Symantec Management Center to define policy that is used for both on-premises proxy appliances and the Web Security Service.

UPE topography

1—The Admin uses Management Center to create a Universal Policy object; then imports a reference ProxySG Visual Policy Manager (VPM) policy for validation and refinement. Another option is create policy (Enforcement Domains) directly in VPM, then use Management Center to import.

2—The Admin installs the validated Universal Policy on selected targets, which include ProxySG appliances in different locations and the Web Security Service.

The gateway ProxySG sends the user identity and group affiliation (added to the request).

3—Employees at a location requests web traffic that is intercepted by an on-premises ProxySG appliance, which checks against the policy with the Appliance and Universal Enforcement Points, which were defined during the policy creation stage.

4—For this enterprise, the Web Security Service processes requests from all remote users (connecting from a non-corporate network). The Web Security Service and Universal Enforcement Points apply to these client connections.

Going forward from this time, Management Center allows you to quickly maintain, edit, and publish policy updates without having to log in to multiple products.

Tip: This solution requires the decision to implement before you register your Web Security Service account. The registration process prompts to use native Web Security Service or the Management Center; selecting the latter renders the Web Security Service content filtering policy editors inactive.

Why Select This Method?

Benefits—

Leverage the same (applicable) policies across your hybrid security solution comprised of on-premises proxies and the clients connecting to the Web Security Service.

Is this the method you require?

Resources

Technical Requirements:

UPE WebGuide Topic
UPE WebGuide Home:

UPE Support Article

Alternate Media

PDF

Self-Help Training Videos

Symantec E-Libary: Proxy Forwarding