CacheGuard OS
User's Guide - Version 5.7.6
Transparent Mode
To secure and optimise Web traffic, the appliance acts as a Web proxy so internal Web surfers can configure their Web browser to use the appliance as a Web proxy for HTTP, HTTPS and FTP. This may be a constraint in some environments. Fortunately there is a method to implement the appliance in a transparent mode so no Web browser settings will be required. The transparent mode concerns only HTTP traffic using the standard port number 80.
In transparent mode, the appliance intercepts HTTP traffic so it can:
- Cache HTTP traffic
- Compress HTTP traffic
- Log HTTP Accesses
- Guard against unwanted URLs
- Manage the Web QoS
- Operate as a Firewall
- Provide High Availability
To act as a transparent Web gateway, all Web traffic should be routed via the appliance. To route Web traffic via the appliance you may either configure the appliance as a network gateway in your LANs or implement a switch L4 (Layer 4) to route only Web traffic via the appliance.
CacheGuard as the default Gateway
The idea is to route all network traffic to the Internet via the appliance so the appliance intercepts HTTP traffic, operating as a secure Web gateway while other network traffic is just routed.
This implementation is straightforward and easy to integrate in small and medium networks. However large networks may require a more sophisticated implementation in which only Web traffic is routed via the appliance. We will discuss the latter in the next section. To implement the appliance as a transparent internet gateway use the following commands:
- mode router on
- mode transparent on
- apply
Using a Switch L4
The aim is to route only Web traffic via the appliance and let other traffic to be routed via your existing network infrastructures. Implementing this method requires a network switch layer 4 or similar equipment capable of routing network traffic according to the TCP headers.
This implementation is a better solution for large networks because the appliance does not have to support all network traffic, only HTTP traffic (on the port number 80). To implement this method configure the appliance with the following commands:
- mode transparent on
- apply
Note that a Linux box with netfilter and iproute2 modules may act as a switch L4. To set a Linux box as a switch L4 routing the Web traffic via the appliance, use the following commands in your Linux box:
- iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 5
- echo "100 transparent-proxy" >> /etc/iproute2/rt_tables
- ip route add default via <cacheguard-intern-ip> table transparent-proxy
- ip rule add fwmark 5 table transparent-proxy
Copyright (C) 2002-2011 CacheGuard - All rights reserved