I'm having troubles redirecting the traffic to a Explicit Proxy through Dst-Nat as posted in this discuss:
So I would like to know whether I could redirect the traffic with ESI groups, I've read some information about that and maybe it could help...
Additionaly, if I use dst-nat (I guess) is for captive portal pourposes, or something related to that, cause if Im going to Google.com (for instance) and my controller change the destination address to the proxy's IP, how would know the proxy where my client is wanting to go???
Thanks in advance,
Do you have a transparent proxy?
No Colin, the idea is redirect the traffic to a explicit proxy without configure each client (browser).
Then the ESI can certainly do that for you. Please look at the configuration in the user guide. the " Redirection Policies and User Role" portion is what applies to your situation. It is not guaranteed, however that your web filter will be able to handle traffic sent to it in this manner.
Either dst-nat or ESI in NAT mode can redirect specified traffic to a different IP destination (such as a proxy server or content filter). In fact, Aruba's CSS is a cloud-based content service where the controller or RemoteAP dst-nats http traffic to the closest enforcement node. You normally would not need to set up ESI unless you had multiple proxies (load balancing) or wanted the ESI health checks to bypass the proxy server when it was down; otherwise dst-nat is simpler and would suffice.
The proxy server knows where the client is trying to go because the URL is specified within the HTTP packet (GET, POST, etc.). But not all proxies are created equal, so just getting traffic to it may not be enough. You may need to update the proxy to work in this mode or explicity configure the clients.
You can also use ESI in route mode to force web traffic to the proxy. This mode rewrites the Ethernet header (OSI Layer 2), so controller and proxy need to be on the same subnet. Destination IP and port are unchanged, so essentially the proxy is inline without actually being inline (similar to a WCCP implementation).
Has anyone successfully implemented a Websense proxy server in explicit mode using this approach? Are ther any known limitations like device type?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.