Connectivity: Explicit Over IPsec

An Explicit Over IPsec deployment is one where the same web request is instigated by the browser as an explicit proxy connection but is sent to the Web Security Service over an IPSec tunnel. This is a type of deployment that can be used with any of the IPSec location types supported by WSS. This method is most commonly used in environments where a default route to the internet does not exist, such as an environment with tighter control, where browsers only have one controlled/explicit way out via a PAC file.

Technical Requirements

This section provides a high-level set of technical requirements required to perform this configuration.

  • Your organization has been provisioned with an account in the WSS.

    To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details with Symantec support.

  • An understanding of how much user traffic will route to the Web Security Service.

    The WSS is limited to 500mbit/s of bandwidth per IPSec tunnel. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 500mbit/s block of bandwidth you expect to consume. For example, if one of your sites consumes 900mbit/s of traffic, it must connect to the WSS using at least two IPSec tunnels, each connecting from a unique public IP address.

  • The internal network addresses that is the source of data to send to the WSS.

    For example, as a best practice do not send intranet resources, such as email and internal web services, through the tunnel. Additionally, exclude the server where the Auth Connector is installed from the tunnel as it makes a direct connection to the WSS through port 443. See Forward Specific User and Group Names to the Service.

  • If your proxy forwarding deployment handles traffic for a large number of users, you must configure your ProxySG appliance to use more source ports than the 1024 used by default, and to segregate that traffic to ensure appropriate balancing of your connection load to the service. Follow the steps in this KB article.https://support.symantec.com/en_US/article.TECH254332.html.

 

Procedure

Step 1—Configure a VPN Connection to the WSS

Configure the gateway VPN device to route internet-bound traffic to the WSS.

If you are unsure of which method is required for your network environment, see Connectivity—About Virtual Private Network (IPsec).

Step 2—Configure Client Browsers to Explicit Proxy to the VPN Device

To configure explicit over IPsec solution, you must add an entry to your PAC file. This entry instructs all outbound web traffic to use a proxy and the route to this proxy will be through an IPSec tunnel to the WSS.

The following three scenarios support this:

  • All clients require the explicit proxy connection to the web. For example, in a no default gateway route topology or one that employs an Interior Gateway Protocol (IGP). The entry for this method is:

    return "PROXY ep.threatpulse.net:80";

  • You have an on-premise proxy securing your web traffic and want to use the WSS as a backup proxy option. You ensure that traffic sent to proxy.threatpulse.net:8080 uses the VPN tunnel to the WSS. The entry for this method is:

    return "PROXY corp-gw.mycompany.com:8080; PROXY ep.threatpulse.net:8080";

  • You have configured an on-premise proxy to secure web traffic, but want to use an explicit over IPSec connection method to provide seamless back up to that. In this instance, your site's edge firewall only permits traffic out to the Internet on port 80, while your proxy is configured to listen for requests on port 8080. You ensure that traffic sent to proxy.threatpulse.net:80 uses the VPN tunnel to the WSS. The entry for this method is:

    return "PROXY corp-gw.mycompany.com:8080; PROXY ep.threatpulse.net:80";

Example PAC File

The following example provides typical enterprise PAC file contents. The Explicit over IPsec entry is at the end.

function FindProxyForURL(url, host)
{
    /* SPECIAL CASES FOR NON-BALANCED ROUTING */
    // Direct connections to non-FQDN hosts
   if (isPlainHostName(host) ||
    (host == "127.0.0.1") ||
   (host == "www.symantec.example.com") ||
    (host == "symantec.example.com") ||
    (shExpMatch(host, "*.symantec-intranet.com")) ||
    (shExpMatch(host, "90.0.0.*")) ||
    (shExpMatch(host, "10.*"))) {
        return "DIRECT"
    } else {
return "PROXY ep.threatpulse.net:8080"
    }
}

Common Troubleshooting Tips

The following knowledge base articles cover the most common issues faced by network administrators working with VPN tunnels and their remedies.