Lan Bypass

METHODS FOR BYPASSING THE WEB SECURITY PROXY

COPYRIGHT NOTICES ©eSoft Inc. 2012. eSoft, InstaGate, and ThreatWall are registered trademarks, and SoftPak and SoftPak Director are trademarks of eSoft, Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation. Adobe, the Adobe logo, and Acrobat are registered trademarks of Adobe Systems Inc. UNIX is a registered trademark of UNIX Systems Laboratories, Inc. All other brand and/or product names are the property of their respective holders. Portions of this software are covered under the GNU General Public License. You may freely obtain source code versions of the software covered by the GNU General Public License through the Internet at http://www.redhat.com. However, some applications remain the property of their owners, and require their permission to redistribute. For more information, access the eSoft web site at http://www.esoft.com. Portions of this software are Copyright © The Regents of the University of California. A complete copy of the copyright notice follows: Copyright © The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the University of California, Berkeley and its contributors.” Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS”' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Portions of this software are Copyright © The Apache Group. A complete copy of the copyright notice follows: Copyright © 1995-1997 The Apache Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).” The names “Apache Server” and “Apache Group” must not be used to endorse or promote products derived from this software without prior written permission. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).”

2

INTRODUCTION All InstaGate units come with the Web Security Proxy as standard built-in software. This proxy is used to monitor and enforce appropriate Internet usage throughout your organization. Bypassing the proxy server may be necessary for certain websites, hosts or applications. Websites and applications may not support a proxy configuration for a number of reasons related to security, an applications inability to support authentication or other reasons. The following sections will describe how to bypass the Web Security Proxy on the InstaGate. This is typically done with a combination of Firewall Policies and additional configuration the client machine through Internet Options.

IMPORTANT NOTE: If IP-Based Web Filtering is being used on the device, there is no way to bypass the proxy!! Any traffic that routes through the unit will be redirected to the proxy for processing. For additional information on the Web Security Proxy please review the information available at http://support.esoft.com.

PART ONE – BYPASS BY DESTINATION 1.1

Destination Bypasses

The following shows how to create a proxy bypass by destination. Meaning, when a client tries to go to a specific destination, the proxy is bypassed. This method is most commonly used for problems browsing to particular sites. For our example we will create a destination bypass to the site http://support.esoft.com.

1.2

Finding the Destination IP Address

The first step in creating a destination bypass is to find the IP address for the site you want to allow to bypass the proxy. This can be done through several methods, the easiest of which is to simply ping the URL. From a client machine, go to Start and click on Run. In the Run field type ‘cmd’ to open a DOS prompt. Type ‘ping support.esoft.com’ at the prompt as shown below and hit enter. You should receive a message similar to the one below with the IP address that support.esoft.com resolves to. This is the IP address you will need to use for your LAN firewall rule. In our example this IP is 199.45.143.23.

3

1.3

Creating the LAN Firewall Policy

The next step in setting up a destination bypass is to add a LAN firewall rule to allow the traffic past the default proxy rule. First, access the Firewall Policies page by clicking the Firewall Policies link under the Firewall Menu. Click the ‘Add’ button to add a policy. After naming the policy, set the Action to ‘Accept’ and the Interface to LAN. It is best to leave logging disabled unless you are troubleshooting dropped packets at the firewall.

4

For a destination bypass you will typically leave the source address as the object ‘ANY’ as in the example above. However, there may be certain situations where you would need to specify a network or host. Specific hosts or clients on that specific network would be the only machines allowed to bypass the proxy for the destination IP you enter. The destination address should be the IP address that we determined in section 1.2. Here you can see we’ve selected ‘Network’ and entered 199.45.143.23, the IP address of support.esoft.com into the IP address field. We’ve also selected the network 255.255.255.255 so the proxy will only be bypassed by traffic going to the 199.45.143.23 IP address. Certain URLs may resolve to more than one IP address so you may want to enter a subnet of IP addresses here, or create multiple policies. The last step in creating the firewall policy is to select the protocols you wish to be affected by the policy. By default, most browsers including Internet Explorer will proxy HTTP, HTTPS and FTP protocols. In our example we will only be using HTTP and HTTPS, so they have been selected.

1.4

Placement of the Bypass Policy

Firewall policies are acted on in order, from top to bottom. For the bypass to work, your firewall rule must be placed above the default proxy rule labeled Web Access*. This can be done by selecting your rule and using the ‘UP’ button or using the drag and drop feature and clicking ‘Apply’. Our final LAN firewall configuration appears below.

1.5

Adding Exceptions to the Browser

The final step in creating a destination proxy bypass is to add an exception into the browser. The following describes the process of adding an exception in Microsoft Internet Explorer. For other browsers please refer to the documentation provided in the browser help menu. The proxy settings for Internet Explorer are configured through Internet Options. If you are configured for Local or Microsoft Active Directory authentication you should already be set to go through the proxy. If you are in transparent mode this step is not necessary.

5

First, access Internet Options either through the Control Panel or through Internet Explorer by clicking Tools and selecting Internet Options. Click on the Connections tab, then LAN settings.

As in the above screenshot, you should see the box checked to “Use a proxy server for your LAN” and have the Address box filled in. Click the ‘Advanced’ button. In the exceptions box you will enter the URL of the site you are trying to bypass the proxy for. For this example we simply enter support.esoft.com. Click OK until you exit the Internet Options settings. At this point you should be finished and anyone who has the exception set appropriately should be bypassing the proxy for the URL. If the page is still not working after this, you should check the Web Proxy log to verify the requests are no longer getting logged and no other URLs need to be added.

PART TWO – BYPASS BY SOURCE 2.1

Source Bypasses

Part two will demonstrate how to create a proxy bypass by source. When a client with a particular source IP address tries to access a website via HTTP, HTTPS or FTP the connection will then bypass the proxy. Machines with a source bypass should not have any proxy settings added to the browser.

6

2.2

Finding the Source IP Address

In most situations you will want to statically assign an IP address to the machine you are creating a source bypass for. This can be done by accessing the properties of your local area connection or wireless connection. Find the Internet Protocol (TCP/IP) adapter and choose properties again. Here you can choose “Use the following IP address” and assign an address on your local network. If you choose to use DHCP on your local network you can still create a source bypass; however the bypass may stop working after the DHCP lease expires. With DHCP the source address can be found by using “ipconfig” at a command prompt. For our example, we will use the source IP as 10.10.10.10.

2.3

Creating the LAN Firewall Policy

The LAN firewall policy for a source bypass is very similar to a destination bypass. With a source bypass you will need to specify the source rather than the destination. As you can see in the example on the following page, we have chosen all of the same options with the exception of two settings. We have specified the source address as 10.10.10.10 with the subnet as 255.255.255.255 and we have changed the destination address to ‘ANY’. Next, select the protocols you wish to use for this policy, typically HTTP and HTTPS. Click ‘Apply’ to save the policy.

7

2.4

Placement of the Bypass Policy

The LAN firewall policy that you have created must be moved above the default proxy rule, just as in part one. This can be done by selecting your rule and using the ‘UP’ button or using the drag and drop feature and clicking ‘Apply’. After applying the change the source bypass should now work. Keep in mind that proxy settings should not be specified in the client machine.

PART THREE – COMBINATION BYPASSES 3.1

Combination Bypasses

There may be times when you will want to allow only a certain host, or certain group of hosts to a certain destination while keeping all others proxied. For this situation you would use a combination policy which, in essence, combines the policies you’ve learned in part one and part two. A source and destination IP will be used for the firewall rule.

3.2

Find the Source and Destination IP Addresses

For this type of policy we will be using both the source and destination IP. To find these IP’s you will use the same process as in part one and part two. Please refer back to section 1.2 for finding the destination, or 2.2 for finding the source. In this example, we will use support.esoft.com or 199.45.143.23 for the destination and 10.10.10.10 for the source IP address.

3.3

Creating the LAN Firewall Policy

The LAN firewall policy in this example is basically a combination of the destination and source bypass policies. After naming the rule and selecting ‘Accept’ for the action you will need to set the source IP address.

8

As shown, we have selected ‘Network’ and specified the source address as 10.10.10.10 and subnet as 255.255.255.255. This will ensure that only 10.10.10.10 is allowed to bypass the proxy. Next, specify the destination you wish to bypass the proxy for. Here you can see we’ve selected ‘Network’ and entered 199.45.143.23. We’ve also selected the subnet 255.255.255.255 so only traffic going to 199.45.143.23 from a source 10.10.10.10 will bypass the proxy. To finish the policy, select the protocols you wish to use for this policy, typically HTTP and HTTPS. Click ‘Apply’ to save the policy.

3.4

Placement of the Bypass Policy

As with the other policies, this firewall policy must be moved above the default proxy rule. This can be done by selecting your rule and using the ‘UP’ button or using the drag and drop feature and clicking ‘Apply’.

9

After applying the change the source bypass should now work if you do not have proxy settings specified in your browser (transparent proxy). If you do have proxy settings assigned, follow the steps in section 1.5 to add an exception into the proxy settings.

TROUBLESHOOTING If there are still problems loading the site usually the page is attempting to access more than one URL. You will want to watch the Web Proxy log to see what web traffic is being created when you visit the site and adjust your policies and exceptions as necessary. Also, keep in mind that a URL may resolve to more than one IP address depending on the DNS server that is being used. Your policies may need to be configured to allow a network range or more than one IP address. For other applications such as java applets and different types of software, it may be necessary to enter the proxy settings and exceptions into the software. Refer to the documentation on your application for specifics. If you need assistance in creating a proxy bypass please open a ticket with eSoft Technical Support at 877-754-2986 or online at http://support.esoft.com.

10