Wireless Access

Reply
Occasional Contributor II

Re: Best way to force guests to use a proxy?




We're trying to accomplish the same thing here, to replace the WCCP2 provided by our Cisco switch. However, I can't get it to work. I can't see where the d-nat packets go - a netstat on the proxy shows no sign of them. Even though I see firewall hits for the policies on the Aruba controller. What else can I do to trace where these packets are ending up?

This line below:
1 user 72.2.0.12 svc-http permit
Allows traffic directed at the proxy (if I enable manual proxy in the browser, which works) to go through without a d-nat. Any other port 80 traffic is caught by the next rule.
2 user any svc-http dst-nat ip 72.2.0.12 80

(Aruba6000) #show rights sls-domain-admin

Derived Role = 'sls-domain-admin'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 3
Periodic reauthentication: Disabled
ACL Number = 56/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 http-proxy-redir
2 allowall

http-proxy-redir
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user 72.2.0.12 svc-http permit Low
2 user any svc-http dst-nat ip 72.2.0.12 80 Low
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low

Expired Policies (due to time constraints) = 0

Occasional Contributor II

Re: Best way to force guests to use a proxy?

Resolved. It turns out routing needs to be enabled on the VLANs in question on the controller. We had disabled routing for all VLANs since we have Cisco 6x00s doing our routing. This appears to offer a simple alternative to WCCP for proxy transparency, but we'll see how it works in production. Our Cisco 6000 Sup1/MSFC was choking during peak loads using WCCP2... :-(
New Contributor

Re: Best way to force guests to use a proxy?

sorry for bringing up this old thread..
i managed to force Http traffic to my proxy server.. but its not working for https traffic.
I'm using bluecoat proxysg and did a policy trace..

for HTTP traffic, i can see the url being forwarded to the proxy from the wireless controller IP (interface NAT on the controller)

for HTTPS traffic, im seeing the url translated to the proxy-ip

im puzzled with all of these.. because to my gut feeling, i think that HTTPS behaviour is wat im supposed to get logically whereas HTTP is not. Reason behind.. i dont understand WHY a dst-nat of ANY HTTP traffic to proxy-ip will retain its full actual URL as what the user typed and forward to the proxy.

Whereas for HTTPS, the dst-nat is doing its job, it translate the URL to proxy-ip and thus it fails on my bluecoat..

Any help to resolve this?
Guru Elite

Re: Best way to force guests to use a proxy?

dst-NAT will ONLY work port port 80, unfortunately. SSL using dst-nat and Bluecoat will not work in that fashion, unfortunately.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Best way to force guests to use a proxy?




ya.. pretty frustrusted with this..

in a way, do you see this as a bug? it seems that a wrong behaviour for port 80 makes thing works whereas a correct behaviour for 443 just break it

Guru Elite

Re: Best way to force guests to use a proxy?

No, because SSL does not work with destination NAT on any platform. Aruba is no exception to that rule.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Best way to force guests to use a proxy?

Hi All,

I know this is an old post, but we're just starting a content filtering initiative and I'm interested to know how people handle 443 traffic since destination NAT doesn't work.

Thanks,
Pete
Contributor I

Re: Best way to force guests to use a proxy?

I'm so curious about this. How can a DNAT of all HTTP traffic to the proxy server work if the client browser usually does not include the host in the URL of a direct HTTP request? Has that changed over time on latest versions of browsers?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: