CacheGuard-OS
User's Guide - Version UF-2.0.2

Transparent Mode

To secure and optimise Web traffic, the appliance acts as a Web proxy so internal Web users can configure their Web browser to use the appliance as a Web proxy for HTTP, HTTPS and FTP. This may be a constraint in some environments. Fortunately there is a method to implement the appliance in a transparent mode so no Web browser settings will be required. The transparent mode concerns only HTTP and HTTPS traffic using standard ports (80 and 443). In transparent mode, the appliance intercepts HTTP and optionally HTTPS traffic so it can:

• Cache Web traffic
• Compress Web traffic
• Log Web Accesses
• Guard against unwanted URLs
• Manage the QoS
• Operate as a Firewall
• Act as an SSL mediator

To act as a transparent Web gateway, all Web traffic should be routed via the appliance. To route Web traffic via the appliance you may either configure the appliance as a network gateway in your LANs or implement Policy-Based routing using a switch L4 (Layer 4) to route only Web traffic via the appliance.

CacheGuard as the default Gateway

The idea is to route all network traffic to the internet via the appliance so the appliance intercepts HTTP traffic, operating as a secure Web gateway while other network traffic is just routed.

This implementation is straightforward and easy to integrate in small and medium networks. However large networks may require a more sophisticated implementation in which only Web traffic is routed via the appliance. We will discuss the latter in the next section. To implement the appliance as a transparent internet gateway use the following commands:

• mode router on
• mode web on
• mode transparent on
• apply

Policy-Based Routing

The aim is to route only Web traffic via the appliance and let other traffic to be routed via your existing network infrastructures. Implementing this method requires a network switch layer 4 or similar equipment capable of routing network traffic according to the TCP headers. This implementation is a better solution for large networks because the appliance does not have to support all network traffic, but only HTTP traffic (on the port number 80). To implement this method configure the appliance with the following commands:

• mode transparent on
• apply

Note that a Linux box with netfilter and iproute2 modules may act as a switch L4. To set a Linux box as a switch L4 routing the Web traffic via the appliance, use the following commands in your Linux box:

• iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 5
• echo "100 transparent-proxy" >> /etc/iproute2/rt_tables
• ip route add default via <cacheguard-internal-ip> table transparent-proxy
• ip rule add fwmark 5 table transparent-proxy

Selective Transparency

By default the transparent mode is applied to all networks. This behaviour may have some limitations for users who want to have more control over their Web traffic (e.g. Administrators). That's why the transparency may be limited to some subnets only. To configure the transparent mode for traffic exchanged with the subnets "172.18.2.0 / 255.255.255.0" and "10.26.0.0 / 255.255.0.0" via the internal network interface only use the following commands:

• mode transparent on
• transparent raz
• transparent internal add 172.18.2.0 255.255.255.0
• transparent internal add 10.26.0.0 / 255.255.0.0
• apply

In this configuration the appliance does not act as a transparent gateway for subnets other than those denoted.