CacheGuard-OS
User's Guide - Version UF-2.3.5

Transparent Mode

CacheGuard appliance integrates a Web proxy that can be explicitly used by Web clients (users or machines). In an explicit implementation, Web users must configure their browsers to use the CacheGuard appliance as an HTTP/HTTPS proxy by specifying its internal IP address (web address in VLAN mode) and proxy port (8080 by default). If modifying browser configurations is not an option in your network, you can implement CacheGuard in transparent mode. In transparent mode, HTTP traffic (and optionally HTTPS traffic) is transparently intercepted by the appliance and can then be processed by the various integrated services that the CacheGuard appliance offers (such as URL filtering, antivirus protection, Web caching, and more).

To function as a transparent Web gateway (proxy), the CacheGuard appliance must be positioned along the Web traffic path — meaning that all Web traffic must pass through it. The simplest method to achieve this is to use the CacheGuard appliance as the default gateway for your LAN. If using CacheGuard as the default gateway for all Internet traffic is not desirable, a Layer 4 (L4) switch may be employed to implement policy-based routing, ensuring that only Web traffic is routed through the CacheGuard appliance. To activate the transparent mode, use the mode tweb on (or mode transparent on) command.

Please note that transparent interception of HTTPS traffic requires the SSL mediation feature to be enabled on your CacheGuard appliance. Implementing SSL mediation also requires the deployment of the CacheGuard appliance CA certificate on all Web client devices. Please refer to the SSL Mediation section for guidance on implementing this functionality.

Using a Layer 4 Switch

A Layer 4 (L4) switch allows routing of IP traffic based not only on IP addresses but also on TCP/UDP headers. To ensure that only Web traffic is routed through the CacheGuard appliance while other traffic is directed through a different gateway, your policy-based routes on the L4 switch should route all traffic destined for TCP port 80 (HTTP) and, optionally, TCP port 443 (HTTPS) via the CacheGuard appliance, while all other traffic continues via your standard Internet gateway. If you are familiar with Linux, you can also use a Linux machine to implement this type of policy-based routing. Numerous examples and tutorials are available online describing this configuration. As an introduction, the following example demonstrates how to implement policy-based routing on a Linux machine:

• iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 5
• echo "100 transparent-proxy" >> /etc/iproute2/rt_tables
• ip route add default via <cacheguard-internal-ip> table transparent-proxy
• ip rule add fwmark 5 table transparent-proxy

In the example above, <cacheguard-internal-ip> should be replaced with the internal IP address of your CacheGuard appliance. Please refer to the ip and iptables manual pages on a Linux system for further information on these commands.

Selective Transparency

Once transparent mode is activated on a CacheGuard appliance, all Web traffic routed through it is intercepted, regardless of source or destination IP addresses. This behaviour may be restrictive for users who require more control over their Web traffic (for example, administrators). To address this, Web traffic interception can be limited to specific networks using the transparent (or tweb) command. For instance, to limit transparent mode to Web clients within the 172.18.2.0 255.255.255.0 or 10.26.0.0 255.255.0.0 networks that are routed via the internal network interface, use the following commands:

• mode transparent on
• transparent raz
• transparent add internal 172.18.2.0 255.255.255.0
• transparent add internal 10.26.0.0 255.255.0.0
• apply