As we tested the IronPort S-Series, we quickly ran into an old and unsolved problem with enterprise Web proxies: how to get end user browsers to actually use the proxy.
When a Web browser uses a proxy, the protocol between the browser and the Web proxy is slightly different from the one a browser uses straight to a Web server. Thus, the best interoperability between Web browser and Internet Web servers occurs when the browser is aware of the proxy.
If the proxy server is inserted transparently between the client and the server, without any special browser configuration, then several problems quickly creep up. Some of the problems are show-stoppers. For example, if the proxy attempts to decrypt SSL traffic, the browser will raise alerts. If the proxy requires authentication to differentiate different types of users or for accounting, this can be incompatible with other Web pages that also require authentication. There's a whole RFC (RFC-3143) listing problems with Web proxies.
On the other hand, if you want perfect interoperability, you have to get the proxy configuration information to the Web browser somehow. Several semi-automatic methods exist under the rubric of Web Proxy Auto-Discovery Protocol (WPAD), or, you could manually load the proxy configuration information into the PC.
These two options set up the tension that network managers have to deal with: transparent proxy (also called "intercepting proxy") which doesn't require touching the Web browser, but also doesn't work all the time, vs. explicit proxy that requires WPAD and a cooperating device, but which works much better.
Cisco supports both approaches with its IronPort S-series appliance. Using Cisco's own Web Cache Communication Protocol (WCCP) to transparently redirect traffic is one approach, assuming you have a WCCP device (such as a Cisco switch or router) to do the redirection. We started with WCCP as part of our test. However, we quickly discovered that the ASA appliance can push a proxy server to AnyConnect clients when the VPN tunnel is established, and this was a cleaner and more interoperable solution on all our test platforms.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Proxy configurations: The lesser of two evils" was originally published by Network World.
PayPal has fixed a serious vulnerability in its back-end management system that could have allowed...
Niantic's earlier location-based game is an Android favorite, but it doesn't have the same accessible...
China's state-run news site said that the nation has pressed further ahead of other countries in its...
Amazon is promoting a few minor tech deals today, but the big sales are still a few days away.
The company will instead bundle the security updates into fewer releases, citing Android's monthly...
The creators of the Petya and Mischa ransomware programs leaked around 3,500 RSA private keys allegedly...
These nine 'smart' gadgets — which include cameras, security systems, a thermostat, IoT lighting and a...