CacheGuard-OS
User's Guide - Version UF-2.2.1

Transparent Mode

CacheGuard appliance integrates a Web proxy that can be explicitly used by Web clients (humans or machines). In an explicit implementation, Web users must configure their Web browsers to use CacheGuard appliance as an HTTP/HTTPS proxy by using its internal IP address (web address in VLAN mode) and proxy port (8080 by default). If modifying Web browsers configurations would not be an option in your networks, you have the possibility to implement CacheGuard in a transparent mode. In transparent mode, HTTP traffic (and optionally HTTPS traffic) are transparently intercepted by the appliance and then can be handled by the many integrated services that a CacheGuard appliance offers (URL filtering, antivirus, Web caching...).

To be able to act as a transparent Web gateway (proxy), CacheGuard appliance must be placed on the Web traffic route (ie. Web traffic should traverse the CacheGuard appliance). The easiest way to achieve that, is to use CacheGuard appliance as the default gateway on your LAN. If using CacheGuard as the default gateway for all internet traffic is not wanted, you can use a switch L4 (Layer 4) and implement a policy-based routing that would route only Web traffic via the CacheGuard appliance. You must use the mode tweb on (or mode transparent on) command to activate the transparent mode.

Please note that the transparent interception of HTTPS traffic requires that you activate the SSL mediation on your CacheGuard appliance. Implementing the SSL mediation requires that you deploy the CacheGuard appliance CA certificate on all Web client devices. Please refer to the SSL Mediation section to get help on how to implement it.

Using a Switch L4

A switch L4 allows you to route the IP traffic according to the TCP/UDP headers in addition to and IP address. To route Web traffic only via the CacheGuard appliance and other traffic via another gateway, your policy-based routes on your switch L4 should route all traffic destined to the TCP port 80 (HTTP) and optionally the TCP port 443 (HTTPS) via the CacheGuard appliance and other traffic via your usual internet traffic. If you are familiar with Linux, you can perfectly use a Linux box to implement this policy-based routing. There are plenty of examples on the Web to learn how to implement policy-based routing with a Linux box. As an introduction to such a configuration, you can use the following commands on a Linux box to implement this policy-based routing:

• iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 5
• echo "100 transparent-proxy" >> /etc/iproute2/rt_tables
• ip route add default via <cacheguard-internal-ip> table transparent-proxy
• ip rule add fwmark 5 table transparent-proxy

where <cacheguard-internal-ip> would be your CacheGuard appliance internal IP address. Please refer to the ip and iptables man pages on a Linux machine to get further information Linux commands used in that configuration.

Selective Transparency

Once the transparent mode is activated on a CacheGuard appliance, all routed Web traffic via that appliance are intercepted by it regardless of the their IP addresses. This behaviour may have some limitations for users who want to have more control over their Web traffic (e.g. administrators). To remedy this behaviour, Web traffic interception may be limited to some networks only by using the transparent (or tweb) command. For instance, to limit the transparent mode to Web clients that belong to the 172.18.2.0 255.255.255.0 or 10.26.0.0 255.255.0.0 networks and routed via the internal network interface, you can use the following commands:

• mode transparent on
• transparent raz
• transparent add internal 172.18.2.0 255.255.255.0
• transparent add internal 10.26.0.0 255.255.0.0
• apply