Security

We are moving away from using proxy servers for web content security in favour of a layer 4 UTM appliance.  We have 2 routes to the internet, one is the default to which all external traffic goes, the other we had used for guest access using proxy server config on devices to direct treaffic towrds it.  Needless to say, this has cuased allsorts of problems over the years!

We are hoping that we could "simply" connect an interface on the controller to the dmz for this secondary link and route all guest traffic towards it, and the UTM will then do its job.  Is this do-able, and the best way of achieveing this, or do we need to consider a Transparent Porxy...?

I'm not a specialist and i'm not sure how to separate traffic and select the correct port, but I think this should be possible somehow.

But I had some same goal and i setup this using vlans. Currently I have configured all 4 interfaces for the controllers as single port channel. The port channel receives multiple vlans.

For example one of the vlan is used for guest internet access, through a vlan i'ts connected to a Checkpoint appliance and connected to the internet. 

Another vlan is used for network access and connected to an internal network vlan. And there are multiple vlans for other usage.

So you could create a vlan for guest access and one for regular network access and connect them to seperate interfaces at your UTM appliane. The vlans can be sellected in a virtual access point profile for further usage.

Offfcourse this only works for you if you don't want to seperate traffic physically and not through vlans.

Regards,

Roland

thats exactly what I did, got a couple of ASAs integrated with websense and they are doing the url inspection.  

Cheers for your replies, Ill have a play after when I get back from leave...

I have connected an aruba interface to the dmz and created a local vlan with a valid dmz address.  As our UTM is also sat in this DMZ, do I simply need to do some sort of dst nat for captive portal traffic that pushes it towards the UTM address?

Wheres the captive portal?  On the controller of on clearpass?

On the controller...  We are due to be getting CP in the next few months, so would this change how it would be set up?

Id still like to try and get it working via the controller though...

Cheers

head.. wall.. bang!

Think ive pretty much exhausted all possibilities.. src nat, dst nat, route to esi...  nothing!

I dont think what im trying to do is that unusual, but just not found the right way of doing it!   Just to clarify.. I have an internal guest netwrok using captive portal, say 12.11.10.0, wan am trying to push this traffic out of an interface that is connected to the dmz, so all outbound traffic goes out via our UTM.  This interface has an address that is valid in the dmz.  All other non captive portal traffic would go out of our default route via out pirmary internet gateway.

Would welcome any suggestions...

Doing some further teading.. ESI has to be the answer...

External Services Interface

The ArubaExternal Services Interface (ESI) provides an open interface that is used to integrate security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. ESI allows selective redirection of traffic to external service appliances such as anti-virus gateways, content filters, and intrusion detection systems. When “interesting” traffic is detected by these external devices, it can be dropped, logged, modified, or transformed according to the rules of the device. ESI also permits configuration of different server groups— with each group potentially performing a different action on the traffic.

Hi so when you associate with the VAP or prior to authentication you drop your client into a VLAN

That VLAN is on a port on the controller that is connected to a switch that is in the same VLAN as the port that goes to the UTM?

Or the port on the UTM connects straight into the controller, and they are on the same VLAN where your client is dropped into?

Then DHCP gives the client an IP address - this IP has the default gateway of your UTM, so your controller layer 2 connects the client to the UTM.

The controllers VLAN interface, still needs an IP, but you disable interVLAN routing on the tick box.

If this fails, check the datapath session table on the controller for packet drops, but it should be pretty much contained in the box.

Does this help?

Dont think any of what you detail fits the scenario I have.. which could be perhaps why things dont work!

A connected client receives an address from the internal layer 2 network.. say, 12.10.9.8.  A port on Aruba is connect into into a dmz switch with an address of say 192.168.0.100.. the UTM is connected to the same dmz switch using the gateway address of 192.168.0.1. 

I will try configuring the llease pool to issue the gateway address of the UTM.

Reading about the route to esi option, to me, this implied that I could set up 192.168.0.1 as the external server interface to which I want to direct traffic towards.  Then say anything on the 12.10.9.0/24 network direct towards 192.168.0.1. 

No other suggestions??

Route to ESI was the answer!  just had to configure it correctly.

Thanks for all your input :-)

$k3l3t0r,

Glad to hear it.  Please post your successful config.

I based my config around this post that I stumbled across:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Need-help-routing-internet-traffic-from-our-guest-and-corporate/m-p/16759/highlight/true#M6498