Knowledge Search


×
 

Configuration Example - Web traffic processed through J or SRX device and Blue Coat Proxy Server (Non Transparent mode) located in the DMZ zone

  [KB21046] Show Article Properties


Summary:
We need the HTTP traffic to go to the Blue Coat Proxy Server and be proxied by it.  The Blue Coat will process the packet and send it to the SRX, and the SRX will direct it to the WEB.
Symptoms:
This article will explain how to configure the J or SRX Device for the Bluecoat Proxy server, that is configured in L3 or non-transparent mode.

Topology:
  Internet (web server)
        |
        |
        |ge-0/0/1.0
 _______|________
|   zone untrust |
|                |
| SRX        DMZ |--ge-0/0/2.0 ------------ Blue Coat
|                |
|_ zone trust ___|
        |
        |ge-0/0/3.0
        |
Internet Users

Requirements:

  • Web traffic is supposed to hit the ge-0/0/3.0 interface and be routed internally to the ge-0/0/2.0 interface to get to the Blue Coat Proxy Server

  • Then from the Blue Coat Proxy Server, the traffic comes to the SRX via the ge-0/0/2.0 interface and is directed to the Internet (Web).

Cause:

Solution:
The configuration below satisfies this requirement:

  • The HTTP packet hits the SRX at the ge-0/0/3.0 interface.

  • There it will be intercepted by the filter HTTP which will send the packet to the Routing-Instance BLUECOAT.

  • The Routing instance will send the packet to the Blue Coat Proxy Server out of the ge-0/0/2.0 interface.

  • There the BlueCoat will change the source IP of the Packet to its own IP, and send it to the SRX on ge-0/0/2.0.

  • The packet will then be sent to the Web out of the ge-0/0/1.0.

The relevant configuration is as follows:

Interfaces Configuration:
interfaces {
    ge-0/0/1 {
        description "Connected to ISP";
        unit 0 {
            family inet {
                address 1.1.1.2/30;
            }
        }
    }
    ge-0/0/2 {
        description "Connected to BlueCoat";
        unit 0 {
            family inet {
                address 10.10.10.1/30;
            }
        }
    }
    ge-0/0/3 {  
        unit 0 {
            family inet {
                filter {
                    input HTTP;
                }
                address 192.168.0.1/24;
            }
        }
    }
} 
 
Filter configuration:
firewall {     
filter HTTP-redirect {
        term HTTP {
            from {
                protocol 6;
                port 80;
            }
            then {                
                routing-instance BLUECOAT;
            }
        }
        term accept {
            then accept;
        }
    }
}

 
Routing-Instance configuration:
root# show routing-instances
BLUECOAT {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.10.10.2;
        }
        instance-import DPT;
    }
}

Policy-options :    root# show policy-options
policy-statement DPT {
term 1 {
from {
instance master;
interface ge-0/0/2.0;
}
then accept;
}
term 2 {
then reject;
}
}
The security zones for the interfaces - ge-0/0/1.0 is in untrust
ge-0/0/2.0 is in DMZ
ge-0/0/3.0 is in trust

Security Policies:
#show security
    policies {
        from-zone trust to-zone untrust {
            policy T2U {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone DMZ {
            policy T2D {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DMZ to-zone untrust {
            policy D2U {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

NAT configuration:
security {
    nat {
        source {
            rule-set trust-untrust {
                from zone trust;
                to zone untrust;
                rule 1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat interface;
                    }
                }
            }
            rule-set DMZ-Untrust {
                from zone DMZ;
                to zone untrust;
                rule Blue-to-web {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat interface;
                    }
                }
            }
        }
    }
}

Related Links: