12-22-2011 10:54 AM
I'm having troubles redirecting the traffic to a Explicit Proxy through Dst-Nat as posted in this discuss:
So I would like to know whether I could redirect the traffic with ESI groups, I've read some information about that and maybe it could help...
Additionaly, if I use dst-nat (I guess) is for captive portal pourposes, or something related to that, cause if Im going to Google.com (for instance) and my controller change the destination address to the proxy's IP, how would know the proxy where my client is wanting to go???
Thanks in advance,
12-22-2011 01:03 PM
Then the ESI can certainly do that for you. Please look at the configuration in the user guide. the " Redirection Policies and User Role" portion is what applies to your situation. It is not guaranteed, however that your web filter will be able to handle traffic sent to it in this manner.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
12-22-2011 04:29 PM
Either dst-nat or ESI in NAT mode can redirect specified traffic to a different IP destination (such as a proxy server or content filter). In fact, Aruba's CSS is a cloud-based content service where the controller or RemoteAP dst-nats http traffic to the closest enforcement node. You normally would not need to set up ESI unless you had multiple proxies (load balancing) or wanted the ESI health checks to bypass the proxy server when it was down; otherwise dst-nat is simpler and would suffice.
The proxy server knows where the client is trying to go because the URL is specified within the HTTP packet (GET, POST, etc.). But not all proxies are created equal, so just getting traffic to it may not be enough. You may need to update the proxy to work in this mode or explicity configure the clients.
You can also use ESI in route mode to force web traffic to the proxy. This mode rewrites the Ethernet header (OSI Layer 2), so controller and proxy need to be on the same subnet. Destination IP and port are unchanged, so essentially the proxy is inline without actually being inline (similar to a WCCP implementation).