When is the Upstream Proxy used?

Quick overview of our set up.

We have multiple sites with their own XGs (SFOS 17.1.1 MR1). Each site XG is in Bridge mode. Each site is connected to the WAN via a router. An Upstream Proxy (Parent Proxy) (hosted on the WAN) is required to access the internet.

Internet > (Upstream Proxy) > WAN > (many sites) Router > XG > LAN

Internet > (Upstream Proxy) > WAN are shared amongst all sites.

We have the Upstream Proxy configured under Routing.

We have some sites and services hosted on the WAN that require us to NOT use the Upstream Proxy.

A Firewall Rule with a Web Policy specified allows internet access through the Upstream Proxy.

A Firewall Rule without a Web Policy does not allow internet access even if the Firewall Rule explicitly specifies allowed domains/Internet IPs etc.

The Upstream Proxy only seems to be used when the Internet is accessed through a Web Policy. A Firewall Rule, without a Web Policy, does not appear to use the Upstream Proxy. Is this the expected behavior?

Do Web Exceptions bypass the Upstream Proxy or only the selected features to bypass (HTTPS, Malware scanning etc)?

Cheers,
Ben

  • Anyone willing to share any knowledge on when the Upstream Proxy is and isn't used?

  • In reply to bprc:

    I manage various firewalls (WAN) and would use the upstream proxy for redundancy i.e. if there's an internet outage at one or more of the sites is down. Have just migrated to XG17.1 and will test this next week.

  • In reply to envercpt:

    Hi,

    as i remember correctly, upstream proxy / parent proxy is used from Web proxy in xg, as well as all self generated http/s traffic (like registration / license sync). 

  • In Transparent Mode:

    In order for the port 80/443 traffic that flows through the XG firewall to be automatically directed to an upstream proxy, it must go through the on-box Web Proxy.

    If the port 80/443 traffic is flowing through the XG firewall based on a firewall rule alone (with no Web Proxy) then there is no way to modify the requests to send to an upstream proxy.

    To flow through the Web Proxy, you need to have the Services include HTTP/HTTPS, and you need to either have HTTP and HTTPS malware scanning on, or you need to have a Web Policy specified (anything except None).

    In Standard/Explicit/Direct Mode, anything that goes to Port 3128 will go through the proxy.  You still need to have a firewall rule for port 80/443 through.

     

    Higher level rule with destination set to your internal servers on WAN and no scanning or web policy.

    Lower level rile for all destinations, with a web policy.

     

    Another option would be to use a WPAD mechanism and "Automatically detect my settings" in the browser's proxy config.  Your WPAD could specify which sites can be access directly and which ones need to go through a specified proxy (the XG).  The firewall rule would not specify any policy so transparent access direct to the WAN sites don't go to upstream, while standard mode would.

    I would highly recommend turning on the malware scanning as well.

     

     

  • In reply to Michael Dunn:

    Thanks Michael.

    What about non-HTTP/HTTPS ports/protocols?

    Do they follow the same rules as 80/443 if they're included in the Firewall Rules (with a Web Policy specified)?

    Cheers

  • In reply to Michael Dunn:

    The Upstream Proxy is used in the following cases:

    - Port 80 and 443 traffic, as long as the either a Web Policy or Malware Scanning is on

    - Port 3128 traffic.  This can also include FTP if your client is configured that way (for example look at IE Proxy Settings).  This is FTP-over-HTTP.

    - All HTTP/HTTPS traffic that is generated by the XG itself (for example to get updates)

    Other traffic is not sent, because by definition an upstream proxy only handles HTTP and HTTPS (and FTP-over-HTTP).

    If you want to route other ports, those are firewall routing rules, which is a different topic.

     

    A firewall rule is required for any traffic to flow across the firewall.  Make sure you set the Service correctly (Service maps to ports).  Do not use the Any service (except when troubleshooting).  User/Network Rules are for outgoing traffic.  Business Application Rules are for incoming.