Proxies The appliance uses its proxy functions to intercept web traffic and transmit it if this is allowed by the filtering rules. You can configure these functions to meet the requirements of your network. The following are key settings for proxies: Network mode — Explicit proxy mode or a transparent mode Specific settings can be configured for each of these modes. Network protocol — HTTP, HTTPS, FTP, ICAP, and instant messaging protocols Protocol settings are common proxy settings that can be configured for each of the network modes. You can configure other common proxy settings and also implement special proxy solutions, for example, reverse HTTPS proxy or proxy auto-configuration. Configure proxies You can configure the proxy functions of the appliance as is appropriate for your network. Explicit proxy mode In explicit proxy mode, the clients that have their web traffic filtered on the appliance “know” they are connected to it. They must explicitly be configured to direct their web traffic to the appliance. Best practices - Configuring the Proxy HA mode The Proxy HA network mode that can be configured on Web Gateway is an explicit proxy mode with High Availability functions. It allows you to perform failover and load balancing without using external load balancers. Best practices - High Availability configuration size limits When configuring the Proxy HA (High Availability) network mode, you need to consider the number of Web Gateway appliances to include in the configuration. Best practices - Configuring the explicit proxy mode with WCCP When implementing the explicit proxy mode on a Web Gateway appliance, you can configure the redirection of web traffic to Web Gateway under WCCP (Web Cache Communication Protocol). Use of this protocol considerably enhances the capabilities for load balancing and failover. Transparent router mode The transparent router mode is one of the two transparent modes you can configure for the proxy functions of a Web Gateway appliance if you do not want to use an explicit mode. Transparent bridge mode The transparent bridge mode is one of the transparent modes you can configure for the proxy functions of the appliance if you do not want to use an explicit mode. Packet size handling When communication between Web Gateway on an appliance and its clients requires that the size of data packets is handled in a flexible manner, only the explicit proxy mode can be configured as usual. Configure servers for ICAP communication Configure servers for ICAP communication in each of the two ICAP modes by specifying their IP addresses or fully qualified domain names. Secure ICAP When an appliance takes the roles of server and client under the ICAP protocol, communication can be performed in SSL-secured mode. SOCKS proxy You can configure Web Gateway to run as a proxy that forwards web traffic under the SOCKS (Sockets) protocol. Instant messaging Instant messaging proxies can be set up on an appliance to filter instant messaging (IM) chat and file transfer. XMPP proxy When filtering instant messaging communication on an appliance, one of the methods you can use is to set up a proxy under the XMPP (Extensible Messaging and Presence Protocol). Configure common proxy settings You can configure common proxy settings in addition to the specific settings for a network mode. Common proxy settings include settings for the different types of proxies that can be configured on Web Gateway. Controlling outbound source IP addresses Using different source IP addresses for outbound connections from Web Gateway to web servers or next-hop proxies can lead to connection problems. To avoid these problems, you can replace these addresses with a single address. Best practices - Configuring FTP over HTTP Working with FTP over HTTP, users can retrieve files from an FTP server without setting up and configuring an FTP client. Using WCCP to redirect FTP traffic Requests that clients of Web Gateway send to servers under the FTP protocol can be redirected to Web Gateway using the WCCP (Web Cache Control Protocol) redirection method. Using the Raptor syntax for FTP logon When Web Gateway is configured to run as an FTP proxy, the Raptor syntax can be used for logging on to an FTP server with Web Gateway as a proxy. Node communication protocols When Web Gateway appliances run as director and scanning nodes in a Central Management configuration, communication between the nodes uses the Virtual Router Redundancy Protocol (VRRP) and MWG Management Protocol. Using DNS servers according to domains The use of DNS (Domain Name System) servers to resolve domain information provided in URLs into IP addresses when requests for web access are processed on Web Gateway can be configured according to the domains of the requested destinations. Using DXL messages to exchange web security information You can use the DXL technology to send and receive information to and from web security products that are connected to Web Gateway in a common security architecture. Best practices - Working with the user-agent header The user-agent header is a header in a request for web access sent under the HTTP protocol. This header identifies the software program that was used to send the request. You can work with this header to create a rule that performs a particular action on a request that contains this header. Bypassing for Office 365 and other Microsoft services Requests sent to Office 365 and other Microsoft services, and responses received from these services, can be configured to bypass filtering to avoid a load increase on Web Gateway. Reverse HTTPS proxy A reverse HTTPS proxy configuration can prevent clients from uploading unwanted data, such as malware or particular media types, to web servers under the HTTPS protocol. Proxy auto-configuration One or more proxy auto-configuration (PAC) files can be made available on an appliance for web browsers on clients. The browsers can use them to find proxies for accessing particular web pages.
Proxies The appliance uses its proxy functions to intercept web traffic and transmit it if this is allowed by the filtering rules. You can configure these functions to meet the requirements of your network. The following are key settings for proxies: Network mode — Explicit proxy mode or a transparent mode Specific settings can be configured for each of these modes. Network protocol — HTTP, HTTPS, FTP, ICAP, and instant messaging protocols Protocol settings are common proxy settings that can be configured for each of the network modes. You can configure other common proxy settings and also implement special proxy solutions, for example, reverse HTTPS proxy or proxy auto-configuration. Configure proxies You can configure the proxy functions of the appliance as is appropriate for your network. Explicit proxy mode In explicit proxy mode, the clients that have their web traffic filtered on the appliance “know” they are connected to it. They must explicitly be configured to direct their web traffic to the appliance. Best practices - Configuring the Proxy HA mode The Proxy HA network mode that can be configured on Web Gateway is an explicit proxy mode with High Availability functions. It allows you to perform failover and load balancing without using external load balancers. Best practices - High Availability configuration size limits When configuring the Proxy HA (High Availability) network mode, you need to consider the number of Web Gateway appliances to include in the configuration. Best practices - Configuring the explicit proxy mode with WCCP When implementing the explicit proxy mode on a Web Gateway appliance, you can configure the redirection of web traffic to Web Gateway under WCCP (Web Cache Communication Protocol). Use of this protocol considerably enhances the capabilities for load balancing and failover. Transparent router mode The transparent router mode is one of the two transparent modes you can configure for the proxy functions of a Web Gateway appliance if you do not want to use an explicit mode. Transparent bridge mode The transparent bridge mode is one of the transparent modes you can configure for the proxy functions of the appliance if you do not want to use an explicit mode. Packet size handling When communication between Web Gateway on an appliance and its clients requires that the size of data packets is handled in a flexible manner, only the explicit proxy mode can be configured as usual. Configure servers for ICAP communication Configure servers for ICAP communication in each of the two ICAP modes by specifying their IP addresses or fully qualified domain names. Secure ICAP When an appliance takes the roles of server and client under the ICAP protocol, communication can be performed in SSL-secured mode. SOCKS proxy You can configure Web Gateway to run as a proxy that forwards web traffic under the SOCKS (Sockets) protocol. Instant messaging Instant messaging proxies can be set up on an appliance to filter instant messaging (IM) chat and file transfer. XMPP proxy When filtering instant messaging communication on an appliance, one of the methods you can use is to set up a proxy under the XMPP (Extensible Messaging and Presence Protocol). Configure common proxy settings You can configure common proxy settings in addition to the specific settings for a network mode. Common proxy settings include settings for the different types of proxies that can be configured on Web Gateway. Controlling outbound source IP addresses Using different source IP addresses for outbound connections from Web Gateway to web servers or next-hop proxies can lead to connection problems. To avoid these problems, you can replace these addresses with a single address. Best practices - Configuring FTP over HTTP Working with FTP over HTTP, users can retrieve files from an FTP server without setting up and configuring an FTP client. Using WCCP to redirect FTP traffic Requests that clients of Web Gateway send to servers under the FTP protocol can be redirected to Web Gateway using the WCCP (Web Cache Control Protocol) redirection method. Using the Raptor syntax for FTP logon When Web Gateway is configured to run as an FTP proxy, the Raptor syntax can be used for logging on to an FTP server with Web Gateway as a proxy. Node communication protocols When Web Gateway appliances run as director and scanning nodes in a Central Management configuration, communication between the nodes uses the Virtual Router Redundancy Protocol (VRRP) and MWG Management Protocol. Using DNS servers according to domains The use of DNS (Domain Name System) servers to resolve domain information provided in URLs into IP addresses when requests for web access are processed on Web Gateway can be configured according to the domains of the requested destinations. Using DXL messages to exchange web security information You can use the DXL technology to send and receive information to and from web security products that are connected to Web Gateway in a common security architecture. Best practices - Working with the user-agent header The user-agent header is a header in a request for web access sent under the HTTP protocol. This header identifies the software program that was used to send the request. You can work with this header to create a rule that performs a particular action on a request that contains this header. Bypassing for Office 365 and other Microsoft services Requests sent to Office 365 and other Microsoft services, and responses received from these services, can be configured to bypass filtering to avoid a load increase on Web Gateway. Reverse HTTPS proxy A reverse HTTPS proxy configuration can prevent clients from uploading unwanted data, such as malware or particular media types, to web servers under the HTTPS protocol. Proxy auto-configuration One or more proxy auto-configuration (PAC) files can be made available on an appliance for web browsers on clients. The browsers can use them to find proxies for accessing particular web pages.