Wireless Access

Reply
Occasional Contributor II

What's the function of ESI groups?

I'm having troubles redirecting the traffic to a Explicit Proxy through Dst-Nat as posted in this discuss:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Best-way-to-force-guests-to-use-a-proxy/m-p/6269/highlight/true#M32

 

So I would like to know whether I could redirect the traffic with ESI groups, I've read some information about that and maybe it could help...

 

Additionaly, if I use dst-nat (I guess) is for captive portal pourposes, or something related to that, cause if Im going to Google.com (for instance) and my controller change the destination address to the proxy's IP, how would know the proxy where my client is wanting to go???

 

Thanks in advance,

 

César

Guru Elite

Re: What's the function of ESI groups?

Do you have a transparent proxy?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: What's the function of ESI groups?

No Colin, the idea is redirect the traffic to a explicit proxy without configure each client (browser).

Guru Elite

Re: What's the function of ESI groups?

Then the ESI can certainly do that for you.  Please look at the configuration in the user guide.  the " Redirection Policies and User Role" portion is what applies to your situation.  It is not guaranteed, however that your web filter will be able to handle traffic sent to it in this manner.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: What's the function of ESI groups?

Either dst-nat or ESI in NAT mode can redirect specified traffic to a different IP destination (such as a proxy server or content filter). In fact, Aruba's CSS is a cloud-based content service where the controller or RemoteAP dst-nats http traffic to the closest enforcement node. You normally would not need to set up ESI unless you had multiple proxies (load balancing) or wanted the ESI health checks to bypass the proxy server when it was down; otherwise dst-nat is simpler and would suffice.

 

The proxy server knows where the client is trying to go because the URL is specified within the HTTP packet (GET, POST, etc.). But not all proxies are created equal, so just getting traffic to it may not be enough. You may need to update the proxy to work in this mode or explicity configure the clients.

 

You can also use ESI in route mode to force web traffic to the proxy. This mode rewrites the Ethernet header (OSI Layer 2), so controller and proxy need to be on the same subnet. Destination IP and port are unchanged, so essentially the proxy is inline without actually being inline (similar to a WCCP implementation).

New Contributor

Re: What's the function of ESI groups?

Has anyone successfully implemented a Websense proxy server in explicit mode using this approach? Are ther any known limitations like device type?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: