Skip to main content

Zscaler and Transparent proxying - Part 2

.... Next step was to configure the Linux OS to NAT port 80 to the proxy port [default is 3128]

http://www.tldp.org/HOWTO/TransparentProxy-5.html


iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

A quick test to verify whether the above is working was to change the proxy port in the browser to 80 confirmed that the rule was applied and working just as intended.


Having verified Squid configuration, I had to find a way to route traffic to the squid server transparently. This could have been achieved by doing policy based routing on the firewall or a more efficient option is to use the WCCP protocol [if your network devices support]

This required certain changes on the Squid server, as well as the routers on my network.

As per Squid's documentation here, both WCCP V1 and V2 are supported by the latest version of Squid.

Configuration example from Cisco's website shows how WCCP can be enabled on L3 switches

Once WCCP is enabled, clients started to connect to the Zscaler gateway transparently. The XFF configuration from part 1 allows the clients to connect to the Zscaler gateway without the need for authentication.
Labels:

Comments

Post a Comment

Popular posts from this blog

Zscaler and Transparent proxying - Part 1

I came across a scenario where i had to accomplish the following tasks Configure Transparent Proxy for the Guest Users of our network Devices may include Laptops Smartphones or Tablets Route the Traffic through an upstream proxy server (Zscaler cloud) Disable Authentication and SSL intercept for seamless internet access I had read about Squid Cache on several online resources. First task was getting a Unix server [Ubuntu] up and running. Install process is straight forward as is getting squid installed https://help.ubuntu.com/community/Squid # apt-get install squid Next came the configuration file, which is located at  /etc/squid3/squid.conf Additional details about it can be found in the documentation at  http://www.squid-cache.org . The following options are needed to get started The default port on which squid accepts traffic is 3128 By default squid is configured to block every traffic. however, the configuration files includes details about each...
Post a Comment
Read more