Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

What's the function of ESI groups?

This thread has been viewed 1 times

  • 1.  What's the function of ESI groups?

    Posted Dec 22, 2011 01:54 PM

    I'm having troubles redirecting the traffic to a Explicit Proxy through Dst-Nat as posted in this discuss:

    http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Best-way-to-force-guests-to-use-a-proxy/m-p/6269/highlight/true#M32

     

    So I would like to know whether I could redirect the traffic with ESI groups, I've read some information about that and maybe it could help...

     

    Additionaly, if I use dst-nat (I guess) is for captive portal pourposes, or something related to that, cause if Im going to Google.com (for instance) and my controller change the destination address to the proxy's IP, how would know the proxy where my client is wanting to go???

     

    Thanks in advance,

     

    César



  • 2.  RE: What's the function of ESI groups?

    EMPLOYEE
    Posted Dec 22, 2011 02:17 PM

    Do you have a transparent proxy?



  • 3.  RE: What's the function of ESI groups?

    Posted Dec 22, 2011 02:37 PM

    No Colin, the idea is redirect the traffic to a explicit proxy without configure each client (browser).



  • 4.  RE: What's the function of ESI groups?

    EMPLOYEE
    Posted Dec 22, 2011 04:04 PM

    Then the ESI can certainly do that for you.  Please look at the configuration in the user guide.  the " Redirection Policies and User Role" portion is what applies to your situation.  It is not guaranteed, however that your web filter will be able to handle traffic sent to it in this manner.



  • 5.  RE: What's the function of ESI groups?

    Posted Dec 22, 2011 07:29 PM

    Either dst-nat or ESI in NAT mode can redirect specified traffic to a different IP destination (such as a proxy server or content filter). In fact, Aruba's CSS is a cloud-based content service where the controller or RemoteAP dst-nats http traffic to the closest enforcement node. You normally would not need to set up ESI unless you had multiple proxies (load balancing) or wanted the ESI health checks to bypass the proxy server when it was down; otherwise dst-nat is simpler and would suffice.

     

    The proxy server knows where the client is trying to go because the URL is specified within the HTTP packet (GET, POST, etc.). But not all proxies are created equal, so just getting traffic to it may not be enough. You may need to update the proxy to work in this mode or explicity configure the clients.

     

    You can also use ESI in route mode to force web traffic to the proxy. This mode rewrites the Ethernet header (OSI Layer 2), so controller and proxy need to be on the same subnet. Destination IP and port are unchanged, so essentially the proxy is inline without actually being inline (similar to a WCCP implementation).



  • 6.  RE: What's the function of ESI groups?

    Posted Apr 14, 2014 05:28 PM

    Has anyone successfully implemented a Websense proxy server in explicit mode using this approach? Are ther any known limitations like device type?