As we tested the IronPort S-Series, we quickly ran into an old and unsolved problem with enterprise Web proxies: how to get end user browsers to actually use the proxy.
When a Web browser uses a proxy, the protocol between the browser and the Web proxy is slightly different from the one a browser uses straight to a Web server. Thus, the best interoperability between Web browser and Internet Web servers occurs when the browser is aware of the proxy.
If the proxy server is inserted transparently between the client and the server, without any special browser configuration, then several problems quickly creep up. Some of the problems are show-stoppers. For example, if the proxy attempts to decrypt SSL traffic, the browser will raise alerts. If the proxy requires authentication to differentiate different types of users or for accounting, this can be incompatible with other Web pages that also require authentication. There's a whole RFC (RFC-3143) listing problems with Web proxies.
On the other hand, if you want perfect interoperability, you have to get the proxy configuration information to the Web browser somehow. Several semi-automatic methods exist under the rubric of Web Proxy Auto-Discovery Protocol (WPAD), or, you could manually load the proxy configuration information into the PC.
These two options set up the tension that network managers have to deal with: transparent proxy (also called "intercepting proxy") which doesn't require touching the Web browser, but also doesn't work all the time, vs. explicit proxy that requires WPAD and a cooperating device, but which works much better.
Cisco supports both approaches with its IronPort S-series appliance. Using Cisco's own Web Cache Communication Protocol (WCCP) to transparently redirect traffic is one approach, assuming you have a WCCP device (such as a Cisco switch or router) to do the redirection. We started with WCCP as part of our test. However, we quickly discovered that the ASA appliance can push a proxy server to AnyConnect clients when the VPN tunnel is established, and this was a cleaner and more interoperable solution on all our test platforms.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Proxy configurations: The lesser of two evils" was originally published by Network World.
Picking an Android phone can be difficult, but we're here to help. These are the top Android phones you...
Are your assets bankable in 2017? Hiring managers say they'll seek out these skills most in the New...
Step into Google's new virtual world with the most mesmerizing titles available.
Dwindling labor cost savings offshore are leading many captive centers to implement new robotic process...
A potential victim tries to turn the tables on a spear phisher.
The free service for document-sharing with live code can be used for building machine learning models