CacheGuard OS
User's Guide - Version EH-1.3.7


Transparent Mode

To secure and optimise Web traffic, the appliance acts as a Web proxy so internal Web users can configure their Web browser to use the appliance as a Web proxy for HTTP, HTTPS and FTP. This may be a constraint in some environments. Fortunately there is a method to implement the appliance in a transparent mode so no Web browser settings will be required. The transparent mode concerns only HTTP and HTTPS traffic using standard ports (80 and 443).

In transparent mode, the appliance intercepts HTTP and optionally HTTPS traffic so it can:

To act as a transparent Web gateway, all Web traffic should be routed via the appliance. To route Web traffic via the appliance you may either configure the appliance as a network gateway in your LANs or implement Policy-Based routing using a switch L4 (Layer 4) to route only Web traffic via the appliance.

CacheGuard as the default Gateway

The idea is to route all network traffic to the Internet via the appliance so the appliance intercepts HTTP traffic, operating as a secure Web gateway while other network traffic is just routed.

This implementation is straightforward and easy to integrate in small and medium networks. However large networks may require a more sophisticated implementation in which only Web traffic is routed via the appliance. We will discuss the latter in the next section. To implement the appliance as a transparent Internet gateway use the following commands:

Policy-Based Routing

The aim is to route only Web traffic via the appliance and let other traffic to be routed via your existing network infrastructures. Implementing this method requires a network switch layer 4 or similar equipment capable of routing network traffic according to the TCP headers. This implementation is a better solution for large networks because the appliance does not have to support all network traffic, but only HTTP traffic (on the port number 80). To implement this method configure the appliance with the following commands:
Note that a Linux box with netfilter and iproute2 modules may act as a switch L4. To set a Linux box as a switch L4 routing the Web traffic via the appliance, use the following commands in your Linux box:

Selective Transparency

By default the transparent mode is applied to all networks. This behaviour may have some limitations for users who want to have more control over their Web traffic (e.g. Administrators). That's why the transparency may be limited to some subnets only. To configure the transparent mode for subnets "172.18.2.0 / 255.255.255.0" and "10.26.0.0 / 255.255.0.0" only use the following commands: In this configuration the appliance does not act as a transparent gateway for subnets other than those denoted.