1. No category

Explicit Proxy

Deployment Brief:
Explicit Proxy Access Method
Version 6.9.x/Doc Revision: 03/24/17
Blue Coat Web Security Service/Page 2
Page 3
Copyrights
Copyright © 2017 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and
the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only
and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are
disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS
DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
www.symantec.com
Page 5
Web Security Service Access Method: Explicit Proxy
The Blue Coat Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based
product, the Web Security Service leverages Blue Coat's proven security technology as well as the WebPulse™ cloud community of over 75 million users.
With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service
to create and enforce granular policies that are instantly applied to all covered users, including fixed locations and roaming
users.
This document describes how to set up explicit proxy connections to the Web Security Service for security scanning and
policy checks on web-bound traffic.
This document contains topics collected from the Web Security Service online documentation. For the complete doc set,
see:
https://bto.bluecoat.com/documentation/All-Documents/Web Security Service
Table Of Contents
Copyrights
3
Web Security Service Access Method: Explicit Proxy
5
Table Of Contents
About the Explicit Proxy Access Method
5
7
Access From the Corporate Network
7
Access From Remote Users
8
Plan The Explicit Proxy Access Method
10
Select an Explicit Proxy Method
11
Pre-Deployment: Select Authentication Method
11
Automatic
11
Manual
11
Publish PAC File With WPAD
Next Step
Edit Browser to Explicitly Proxy
12
12
13
Edit Safari Proxy Setting
14
Verify Firewall Setting
14
Next Step
Edit Chrome Browser Proxy Setting
Verify Firewall Setting
Next Step
14
15
15
15
Blue Coat Web Security Service/Page 6
Edit IE Browser Proxy Setting
Verify Firewall Setting
Next Step
Edit Firefox Browser Proxy Setting
Verify Firewall Setting
Next Step
16
16
16
17
17
17
Prevent IP/Subnet From Routing to the Web Security Service
18
Add an Explicit Proxy Location
20
Verify Service Connectivity to Locations
22
All Locations
22
Additional Step For Remote Users
22
Windows
23
Mac
24
Verify Client Protection
Reference: Required Locations, Ports, and Protocols
Blue Coat Resource
24
26
26
Access Methods
26
Authentication
27
Cloud-to-Premises DLP
27
Reference: Sample PAC File for Explicit Proxy
28
About the Explicit Proxy Access Method/Page 7
About the Explicit Proxy Access Method
A proxy auto-config (PAC) file is a JavaScript that enables web browser requests from within a company firewall to bypass
the proxy server based on the IP address of the computer being used to access internal websites. Computers inside the
firewall are given access to sites on the corporate intranet without being routed through the Blue Coat Web Security Service. Requests for external websites or requests made by company-owned computers using an external IP address are
routed through the service. PAC files might also direct the web browser request to a specific proxy. The Web Security Service might restrict access based on the rules and restrictions governing web access.
Tips
n
To provide user identities or provide a backup to proxy forwarding, you can deploy trans-proxy, or Explicit Proxy
Over IPsec.
n
The Roaming Captive Portal feature allows you to authenticate explicitly proxied users
Access From the Corporate Network
Data Flow
A—All requests for external web content from IP addresses behind the firewall route through the Web Security Service.
B—The PAC file might include a list of sites (destinations by IP addresses) that bypass the Web Security Service.
C—The PAC file script identifies the internal IP address based on the RFC 1918 standard. Direct access to the internal
URL is granted.
Blue Coat Web Security Service/Page 8
Access From Remote Users
Data Flow—Split VPN
A—The PAC file script identifies the internal IP address based on the RFC 1918 standard. Direct access to the internal URL
is granted internal access through the firewall on the VPN connection.
B—All requests for external web content route directly through the Web Security Service (with the exception of bypassed IP
addresses listed in the PAC file).
Data Flow—Full VPN
C—All requests for external web content route back into the corporate firewall and then up to the Web Security Service
through the gateway configuration.
D—The PAC file script identifies the internal IP address based on the RFC 1918 standard. Direct access to the internal URL
is granted internal access through the firewall on the VPN connection.
Challenge-based Authentication (Captive Portal)
To provide user authentication for this method and also make user names available in reports and for custom policy creations, enable the Captive Portal option during configuration. When enabled, Captive Portal displays a challenge dialog to
users each time that they begin a new browser session (or 24 hours after the previous successful entry).
Why Select This Method?
n
Easy to deploy for demonstration or testing purposes.
n
Faster access for internal users to internal URLs.
About the Explicit Proxy Access Method/Page 9
n
Reduces traffic to the Web Security Service by allowing web requests to internal IP addresses to go directly to the
website.
What Are the Limitations of This Method?
n
Using PAC files with an IPsec split-tunnel configuration might allow requests for non-corporate sites to bypass the
Web Security Service.
n
Clients using IPsec with a full tunnel configuration might be allowed to bypass the Web Security Service because
all traffic is routed through an external VPN.
n
Client IP addresses are not visible to the Web Security Service.
Blue Coat Web Security Service/Page 10
Plan The Explicit Proxy Access Method
Complete the forms in the following sheet (one per location).
Information
Network
Comments
Values
PAC file deployment 5 Manual Browser Configuration
method:
5 WPAD Standard 8080
IP address range or subnet alllowed to bypass
proxy server:
Proxy server location:
Firewall port to open: 8080
Web Security Service PAC file URL
Point all browsers to https://portal.threatpulse.com/pac
this URL:
Internal Web
Address
Are all web requests 5 Yes
routed through the proxy
5 No
server?
VPN Tunnel Type
IPsec tunnel con5 Full Tunnel
figuration installed on the
5 Split Tunnel
client system. Blue Coat
recommends full tunnel if
your VPN is not compatible with the Web
Security Service.
Captive Portal
Enable challenge-based 5 Yes
auth?
5 No
Select an Explicit Proxy Method/Page 11
Select an Explicit Proxy Method
The following methods are available to explicitly proxy clients to the Web Security Service.
Pre-Deployment: Select Authentication Method
Before configuring the explicit proxy method, Blue Coat recommends deploying a user authentication method if the purpose is for production rather than perform a quick proof of concept or demonstration. If your solution requires Captive
Portal, an authentication method is required.
If you are not familiar with Web Security Service authentication, consult the documentation topics in the WebGuide.
Automatic
Use the Web Proxy Auto-Discovery (WPAD) protocol.
Manual
Manually configure a web browser's proxy setting to point to the Blue Coat Proxy Automatic Configuration (PAC) file.
Blue Coat Web Security Service/Page 12
Publish PAC File With WPAD
Enforce the use of a Proxy Automatic Configuration (PAC) file without manual web browser configuration by using the Web
Proxy Auto-Discovery (WPAD) protocol. WPAD offers two options to publish the location of the PAC file: Dynamic Host
Configuration Protocol (DHCP) and Domain Name System (DNS).
Tips
n
Verify that firewall port 8080 is open.
n
See here for an example PAC file.
DHCP Method
1. Before retrieving the first page, the web browser sends the local DHCP server a DHCPINFORM query.
2. The web browser uses the URL returned from the server to locate the PAC file.
3. If the DHCP server does not return the location of the PAC file, the DNS method is used.
DNS Method
1. Change the name of the PAC file located on the web server from proxy.pac to wpad.dat.
2. The web browser searches the web server for the PAC file using URLs based using the format
http://wpad.x.x.com/wpad.dat, until the proxy configuration file is found in the domain of the client. WPAD.dat is
the name for the PAC file and x is a part of the domain name.
Next Step
Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18.
Edit Browser to Explicitly Proxy/Page 13
Edit Browser to Explicitly Proxy
Manually configure web browsers on client systems or a demonstration client to point to the location of the Blue Coat
Proxy Automatic Configuration (PAC), which provides the route to the Web Security Service.
To configure specific, supported web browsers, navigate to the following topics:
n
"Edit Safari Proxy Setting" on page 14
n
"Edit Chrome Browser Proxy Setting" on page 15
n
"Edit IE Browser Proxy Setting" on page 16
n
"Edit Firefox Browser Proxy Setting" on page 17
Blue Coat Web Security Service/Page 14
Edit Safari Proxy Setting
Quickly connect to the Web Security Service by manually configuring the Safari browser to point to the Blue Coat Proxy
Automatic Configuration (PAC) file.
1. Select Apple menu > System Preferences.
2. Select the Internet and Network tab
3. Select an option:
n
If you are connected by cable to the network, select Ethernet.
n
If you are connected using WiFi, select the AirPort option.
4. Click Advanced. Enter the address of your PAC file in the Address field. For example,
https://portal.threatpulse.com/pac.
5. Click the Proxies tab.
a. Select Using a PAC file.
b. Enter the Web Security Service PAC file location in the Address
field: https://portal.threatpulse.com/pac.
6. Select Quit to exit System Preferences.
Verify Firewall Setting
The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26.
Next Step
n
Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18.
Edit Chrome Browser Proxy Setting/Page 15
Edit Chrome Browser Proxy Setting
Quickly connect to the Web Security Service by manually configuring the Chrome browser to point to the Blue Coat Proxy
Automatic Configuration (PAC) file.
1. In the top-right corner of the browser, select the wrench .
2. From the drop-down list, select Options . The browser displays the Google Chrome Options dialog.
3. In the Network section, clickChange proxy settings. The browser displays the Internet Properties dialog.
4. Click the Connections tab.
5. In the Local Area Network (LAN) Settings section, click LAN settings. The Local Area Network (LAN) Settings
dialog displays.
a. In the Automatic configuration area, select Use automatic configuration script.
b. Enter the Web Security Service PAC file location in the Address
field: https://portal.threatpulse.com/pac.
6. Click OK and exit out of all open dialogs.
Verify Firewall Setting
The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26.
Next Step
n
Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18.
Blue Coat Web Security Service/Page 16
Edit IE Browser Proxy Setting
Quickly connect to the Web Security Service by manually configuring the Internet Explorer browser to point to the Blue Coat
Proxy Automatic Configuration (PAC) file.
1. Select Tools > Internet Options.
2. Select the Connections tab.
3. If you are using a VPN connection, click Add to set up the connection wizard. If you are using a LAN connection,
click LAN settings
4. LAN settings dialog:
a. Select Automatically detect settings and Use automatic configuration script.
b. Enter the Web Security Service PAC file location in the Address
field: https://portal.threatpulse.com/pac.
5. Click OK and exit out of all open dialogs.
Verify Firewall Setting
The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26.
Next Step
n
Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18.
Edit Firefox Browser Proxy Setting/Page 17
Edit Firefox Browser Proxy Setting
Quickly connect to the Web Security Service by manually configuring the Firefox browser to point to the Blue Coat Proxy
Automatic Configuration (PAC) file.
1. Select Tools > Options. The browser displays the Options dialog.
2. Select the Advanced > Network tab.
3. In the Connections area, click Settings.
4. Configure Connection Settings:
a. Select Automatic proxy configuration URL.
b. Enter the Web Security Service PAC file location in the Address
field: https://portal.threatpulse.com/pac.
5. Click OK and exit out of all open dialogs.
Verify Firewall Setting
The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26.
Next Step
n
Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18.
Blue Coat Web Security Service/Page 18
Prevent IP/Subnet From Routing to the Web Security Service
Some source IP addresses or subnets do not require Blue Coat Web Security Service processing. For example, you want to
exclude test networks. Configure the service to ignore these connections.
Notes
n
The Web Security Service allows an unlimited number of bypassed IP addresses/subnets. The exception is Client
Connector, which only bypasses the first 256 entries.
n
The setting is global; that is, it applies to every location/client in your Web Security Service account.
n
Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off
campus and connects through a non-corporate network), the client checks against any updates to the list.
Manually Add IP Addresses
1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab.
2. Click Add Bypass IP(s). The service displays a dialog.
a. Enter an IP/Subnet.
b. (Optional) Enter a Comment.
c. (Optional) Click the + icon to add another row for another entry.
d. Click Add Bypass IP(s).
The new entries display in the tab view. You can edit or delete any entry from here.
Prevent IP/Subnet From Routing to the Web Security Service/Page 19
Import IP Address Entries From a Saved List
This procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Each
entry in the file must be on its own line.
1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab.
2. Click Add Bypass IP(s). The service displays the Add Bypass IP Address/Subnet dialog.
3. Click Add Bypass IP(s). The portal displays a dialog.
a. Select Import From File.
b. Click Browse. The service displays the File Upload dialog. Navigate to the file location and Open it.
c. Click Add Bypass IP(s).
All of the new entries display in the tab view. You can edit or delete any entry from here.
Blue Coat Web Security Service/Page 20
Add an Explicit Proxy Location
When configuring Explicit Proxy as the access method, each gateway IP address defined in a PAC file requires an equivalent Blue Coat Web Security Service location configuration.
Furthermore, you have the option to require users to enter their network credentials for each browser-type session. This
allows for usernames and group information to be viewable in reports and available in custom policy choices
1. In Service Mode, select Network > Locations.
2. Click Add Location.
3. Complete the Location dialog.
a. Name the location. For example, use the fixed geographical location or organization name.
b. Select Explicit Proxy as the Access Method.
c. Enter the IP/Subnet that forwards web traffic to the Web Security Service.
d. This step is optional unless you are integrating SAML authentication. To require users to enter network
credentials at each browser-type session, select Captive Portal: Enable. This option requires deployment of
the Auth Connector application, which integrates with your Active Directory to provides username and group
information.
e. Select the Estimated User range that will be sending web requests through this gateway interface. Blue Coat
uses this information to ensure proper resources.
Add an Explicit Proxy Location/Page 21
f. Select a Time Zone, fill out location information, and (optional) enter comments.
g. Click Save.
Blue Coat Web Security Service/Page 22
Verify Service Connectivity to Locations
After configuring access to the Blue CoatWeb Security Service, verify that the service is receiving and processing content
requests.
All Locations
1. Click the Service link (upper-right corner).
2. Select Network > Locations.
3. Verify the status of each location.
Various icons represent the connection status.
Icon
Connection Status Description
The Web Security Service recognizes the location and accepts web traffic.
A location has been configured, but the Web Security Service cannot connect. Verify that the
web gateway device is properly configured to route traffic.
A previously successful web gateway to Web Security Service configuration is currently not
connected.
n
n
Firewall/VPN
n
Verify your firewall’s public gateway address.
n
Verify the Preshared Key (PSK) in the portal matches that of your firewall
configuration.
n
Verify that the server authentication mode is set to PSK.
Explicit Proxy
n
Verify the PAC file installation and deployment.
n
Verify that your network allows outbound requests on port 8080.
n
Do not attempt to use Explicit Proxy in conjunction with the Unified Agent– the
client will detect that a proxy is in effect, assume a man-in-the-middle attack, and
fail (open or closed depending on the settings).
n
Proxy Forwarding—Verify the gateway address in the forwarding host is correct.
n
Remote Users—Verify the Unified Agent/Client Connector installation. See the section
below for more information.
Additional Step For Remote Users
To further verify that Unified Agent running on remote clients is communicating with the Web Security Service, click (or
double-click) the application icon in the menu bar and click Status.
Verify Service Connectivity to Locations/Page 23
Windows
If the system detects a corporate network that provides web access and security, the Unified Agent enters into passive
mode.
Blue Coat Web Security Service/Page 24
Mac
If the system detects a corporate network that provides web access and security, the Unified Agent enters into passive
mode.
Verify Client Protection
From a client system that has web access (or the specific test client if so configured), browse to the following site:
test.threatpulse.com
The test is successful if you see the following webpage.
Verify Service Connectivity to Locations/Page 25
Blue Coat Web Security Service/Page 26
Reference: Required Locations, Ports, and Protocols
Depending on your configured Blue Coat Web Security Service Access Methods, some ports, protocols, and locations
must be opened on your firewalls to allow connectivity to the various cloud service components and data centers.
Blue Coat Resource
bto.bluecoat.com
HTTPS/TCP 443
Support site links to support tools and documentation.
Access Methods
Access Method
Port(s)
Protocol
199.19.250.192
Web Security Service IP
addresses
Firewall/VPN (IPsec)
Resolves To
199.116.168.192
80/443
IPsec/ESP
UDP 500 (ISAKMP)
Proxy Forwarding
8080/8443
HTTP/HTTPS
8084*
Port 8080 to proxy.threatpulse.net
Port 8443 to proxy.threatpulse.net
*Port 8084 to proxy.threatpulse.net
*If this forwarding host is configured for
local SSL interception.
Explicit Proxy
To proxy.threatpulse.net
8080
https://portal.threatpulse.com/pac
Trans-Proxy
8080 (VPN Tunnel)
ep.threatpulse.net resolves to the following pseudo address.
199.19.250.205
Unified Agent
443
SSL
Port 443 to client.threatpulse.net
Port 443 to proxy.threatpulse.net
Port 443 to portal.threatpulse.net
(199.19.250.192)
MDM (registered iOS and
Android devices)
UDP 500 (ISAKMP)
Roaming Captive Portal
8080
UDP 4500 (NAT-T)
IPSec/ESP
Reference: Required Locations, Ports, and Protocols/Page 27
Authentication
Auth Method
Port(s)
Protocol
Resolves To
Auth Connector
443
SSL
to auth.threatpulse.net:
199.19.250.193
199.116.168.193
portal.threatpulse.net:
199.19.250.19
Additional Required
Information: Reference:
Authentication IP
Addresses.
Auth Connector to Active
Directory
SAML
139,445
TCP
389
LDAP
3268
ADSI LDAP
135
Location Services
88
Kerberos
8443
Explicit and IPSec
Cloud-to-Premises DLP
n
comm.threatpulse.com
Blue Coat Web Security Service/Page 28
Reference: Sample PAC File for Explicit Proxy
The following is sample text that makes up a Proxy Automatic Configuration (PAC) file from which Web browsers receive
routing instructions. The PAC file redirects all non-internal traffic to the Blue Coat Web Security Service.
function FindProxyForURL(url, host) {
// If URL has no dots in host name, send traffic direct.
if (isPlainHostName(host)) return "DIRECT";
// If specific URL needs to bypass proxy, send traffic direct.
if (shExpMatch(url,"*bluecoat.com*") ||
shExpMatch(url,"*cacheflow.com*"))
return "DIRECT";
// If IP address is internal send direct.
if (isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
isInNet(host, "216.52.23.0", "255.255.255.0") ||
isInNet(host, "127.0.0.0", "255.255.255.0") ||
isInNet(host, "192.41.79.240", "255.255.255.255"))
return "DIRECT";
// All other traffic uses below proxies, in fail-over order.
return "PROXY proxy.threatpulse.net:8080; DIRECT";
return "PROXY 199.19.250.164:8080; DIRECT"; }

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz