Product and Software: This article applies to all Aruba controllers and ArubaOS versions:
Consider the below network setup :
Controller --------------------------- Uplink Switch ----- Internet
Gateway device for the users------ Proxy server ----- Internet
In this setup, users traffic should be redirected to the transparent mode operating proxy server. Client connects to the open ssid and falls in the user-role Guest-Proxy.
ip access-list session Guest-Proxy
any any svc-dhcp permit
any any svc-dns permit
any any svc-icmp permit
any any svc-http dst-nat ip <ip address of the proxy server> <port number>
any any svc-https dst-nat ip <ip address of the proxy server> <port number> (Only if the proxy server supports https, dst-nat need to be added for svc-https. Otherwise, acl need to be added to allow https service)
access-list session Guest-Proxy
aaa profile Proxy-AAA
In the above setup, gateway of the client is configured outside the controller and proxy server is placed in different vlan from the client vlan. When the controller dst-natted the traffic to the proxy server, traffic will be routed to the proxy server based on the routing table of the controller. As the controller firewall is stateful, it would drop the return traffic to the client.
To make this to work to need to add host route for the proxy server as given below:
ip route <ip address of the proxy server> 255.255.255.255 <gateway ip of the client>
Note: In the transparent mode, most of the proxy server will process only the http traffic. Few proxy server like websense or bluecoat will process the https traffic provided ssl inspection in the enabled in the proxy server.