Service Groups dictate whether policy is bypassed or intercepted and are defined by port and address range.
Additionally, there is a port detection utility that can be used to detect services over non-standard ports.
Services are configured in the following location:
Configuration> Services>Proxy Services.
If a service is not defined here, it will not be proxied (bypassed).
The proxy drop down in the service creation screen defines which proxy service (aka client worker) handles the traffic. For example, if an http service is created and the proxy service is TCP-Tunnel, the traffic will be evaluated at the tcp layer only. If HTTP is selected, more checks can be performed on the traffic.
If there are overlapping services, the more specific service will be used (for example if one service uses a network and the other uses a host, and both match traffic, the host configuration will be used).
If a service is configured to intercept traffic, policies are checked to determine the action.
If the client connects explicitly to the ProxySG but there is not a service matching that connection that is set to intercept, the connection is refused and the client displays an error.
When the client is transparently proxied, there is a difference between bridging mode and all other transparent proxy deployments. In bridging mode the traffis is allowed to reach the requested origin content server. For all other deployments, verify that the settting ENABLE IP FORWARDING in the management console under Config>Network>Routing>gateways is checked.
Traffic flow:
1.All traffic is processed at the network layer. If traffic matched the bypass list the traffic is passed.
2.The remaining traffic is processed at the service level. If it matches an intercept, the proces moves to step 3.
Posts
0 comments:
Post a Comment