Network Security Blog

Transparent Proxy vs Explicit mode Proxy 

Explicit Mode Proxy :-
• Client requests a website
• Browser connects first to WSA
• WSA connects to website
• Firewall usually only allows web traffic for WSA
• DNS Resolution is done by WSA



Disadvantages of explicit proxy deployment includes Following: -
• A user's ability to alter an individual client configuration and bypass the proxy. To counter this, you can configure the firewall to allow client traffic to proceed only through the proxy. Note that this type of firewall blocking may result in some applications not working properly.
     (Example: - IKEAHOME etc...)
• To bypass any URL, every time you need to use a Group Policy object (GPO) setting to push the proxy exceptions as well as prevent users from changing proxy settings. This type of configuration can be difficult to maintain for a large user base because of the lack of centralized management.
• Few Non-browser client applications that cannot specify a proxy server may not work with explicit proxy deployment.
• Very important is HTTPS scanning is not enabled in this mode. This is a big security impact as WSA is not scanning/inspecting HTTPS traffic. User can easily download a Malicious or a Virus file on port 443 without being inspected by WSA.


Transparent Mode Proxy :-
Transparent Proxy works via WCCP (Web Cache Coordination
Protocol) on Cisco ASA. Wherein WCCP is a method by which the ASA
can redirect traffic to a WCCP caching engine through a generic
routing encapsulation (GRE) tunnel.

The flow of work for redirection has these steps:

• The host uses the default gateway of the ASA to open the HTTP connection.
• The ASA redirects the packet (encapsulated in GRE) to the WSA.
• The WSA verifies or updates the cache for the requested site.
• The WSA replies directly to the host.
• All outbound packets from the host are redirected from the ASA to the WSA.
• All inbound packets from the server to the host are directed from the WSA to the host.

• Client requests a website
• Browser tries to connect to Website
• ASA-Firewall redirects traffic to WSA using WCCP
• WSA proxies the request
• DNS Resolution is done by the Client


Advantages of Transparent proxy deployment includes Following: -
• All Internet traffic from a client goes through the proxy (not just traffic from Web browsers), including: HTTP and HTTPS applications, instant messaging clients, software updaters for Windows, Custom applications, etc.…

• Because traffic management is centralized, users cannot easily bypass the proxy.

• Can Bypass Proxy for any traffic based on Destination subnet or IP address on Firewall itself. If there are any URL's this can be bypassed on WSA.

• Enabling transparent proxy will also enable HTTPS scanning which inspects HTTPS port 443 traffic and will Block any Malicious or virus file if being accessed by User.


Configuration:-

• ASA allows only “redirect in “
  (a)Client’s and WSA must be on Inside interface of ASA
  (b)No DMZ Deployment possible.
• Inside ACL is checked before WCCP redirection
  (a)Destination Server must be allowed in ACL
• Redirection Method is GRE based
• Redirect ACL allows permit and deny


WCCP Config in ASA Firewall: -

(Service=90-97 is user configurable that support up to eight ports for each WCCP service.)

#wccp 90 redirect-list wccp_traffic group-list wccp-server
#wccp interface inside 90 redirect in


#access-list wccp_traffic extended permit tcp <LAN subnets> any eq www
#access-list wccp_traffic extended permit tcp <LAN subnets> any eq https
#access-list wccp_traffic extended deny ip any any

#access-list wccp-server extended permit ip host <WSA DATA PORT IP> any

#access-list acl-in extended permit tcp <LAN subnets> any eq www
#access-list acl-in extended permit tcp <LAN subnets> any eq https

Step2: -
 Configure Web Proxy on port 80 for Transparent Proxy Mode.


Step3:-
 Configure HTTPS Proxy on port 443 for Transparent Proxy Mode.
Generate a CSR and sign it with Internal Root CA. Make sure this Root CA is pushed to all Client PC's through GPO etc..

If you need transparent proxym HTTPS proxy needs to be enabled. and make sure there is Decryption policy enabled for the same.

Verification:-

Router identifier is always selects Highest IP address. here my DMZ has 192.168.243.14 which is selected as router id.

ASA/pri/act# sh wccp 90

Global WCCP information:
    Router information:
        Router Identifier:                   192.168.243.14
        Protocol Version:                    2.0

    Service Identifier: 90
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            687937782
        Redirect access-list:                wccp_traffic
        Total Connections Denied Redirect:   4544924
        Total Packets Unassigned:            24
        Group access-list:                   wccp-server
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

Web Cache ID is always Firewall Inteface IP where the WSA is connected to.
ASA/pri/act# sh wccp 90 detail

WCCP Cache-Engine information:
        Web Cache ID:          10.101.21.194
        Protocol Version:      2.0
        State:                 Usable
        Initial Hash Info:     00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:        256 (100.00%)
        Packets Redirected:    687937833
        Connect Time:          15w3d


Authentication server type: - 
Currently we are using NTLMSSP or Basic Authentication
NTLMSSP: - enables the functionality for the client to send the credentials securely and transparently(SSO) to the web proxy.

NTLM Basic: - allows the client to send the username and password in plain text when prompted for the credentials.

NTLMSSP or Basic Authentication: - The client chooses the best available method when the Use Basic or NTLMSSP option is selected (recommended). If the client supports NTLMSSP, it will use this method, and all other browsers will use Basic. This allows for maximum compatibility.

If the client does not trust the WSA, it will not send its credentials transparently(SSO).

PC----- > ASA ------- >WSA

Step1: When PC tries to access any URL’s, or send any 80 or 443 traffic, then this packet is sent to ASA.
Step2: ASA redirects the same traffic to WSA using WCCP config.
Step3: NOW WSA directly sends GET request to client (HTTP 401 Authorization required) Where Source= WSA_IP, destination: PC_IP asking for credentials
Step4: Client sends its credentials automatically (SSO - Single Sign On), or prompts the end user to manually enter their credentials.
    (Below is the packet capture asking for Authorization)

If you have any queries please comment!