Blue Coat Web Security Service Access Method

Transcript

Deployment Brief: Explicit Proxy Access Method Version 6.9.x/Doc Revision: 03/24/17 Blue Coat Web Security Service/Page 2 Page 3 Copyrights Copyright © 2017 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 www.symantec.com Page 5 Web Security Service Access Method: Explicit Proxy The Blue Coat Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based product, the Web Security Service leverages Blue Coat's proven security technology as well as the WebPulse™ cloud community of over 75 million users. With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to create and enforce granular policies that are instantly applied to all covered users, including fixed locations and roaming users. This document describes how to set up explicit proxy connections to the Web Security Service for security scanning and policy checks on web-bound traffic. This document contains topics collected from the Web Security Service online documentation. For the complete doc set, see: https://bto.bluecoat.com/documentation/All-Documents/Web Security Service Table Of Contents Copyrights 3 Web Security Service Access Method: Explicit Proxy 5 Table Of Contents About the Explicit Proxy Access Method 5 7 Access From the Corporate Network 7 Access From Remote Users 8 Plan The Explicit Proxy Access Method 10 Select an Explicit Proxy Method 11 Pre-Deployment: Select Authentication Method 11 Automatic 11 Manual 11 Publish PAC File With WPAD Next Step Edit Browser to Explicitly Proxy 12 12 13 Edit Safari Proxy Setting 14 Verify Firewall Setting 14 Next Step Edit Chrome Browser Proxy Setting Verify Firewall Setting Next Step 14 15 15 15 Blue Coat Web Security Service/Page 6 Edit IE Browser Proxy Setting Verify Firewall Setting Next Step Edit Firefox Browser Proxy Setting Verify Firewall Setting Next Step 16 16 16 17 17 17 Prevent IP/Subnet From Routing to the Web Security Service 18 Add an Explicit Proxy Location 20 Verify Service Connectivity to Locations 22 All Locations 22 Additional Step For Remote Users 22 Windows 23 Mac 24 Verify Client Protection Reference: Required Locations, Ports, and Protocols Blue Coat Resource 24 26 26 Access Methods 26 Authentication 27 Cloud-to-Premises DLP 27 Reference: Sample PAC File for Explicit Proxy 28 About the Explicit Proxy Access Method/Page 7 About the Explicit Proxy Access Method A proxy auto-config (PAC) file is a JavaScript that enables web browser requests from within a company firewall to bypass the proxy server based on the IP address of the computer being used to access internal websites. Computers inside the firewall are given access to sites on the corporate intranet without being routed through the Blue Coat Web Security Service. Requests for external websites or requests made by company-owned computers using an external IP address are routed through the service. PAC files might also direct the web browser request to a specific proxy. The Web Security Service might restrict access based on the rules and restrictions governing web access. Tips n To provide user identities or provide a backup to proxy forwarding, you can deploy trans-proxy, or Explicit Proxy Over IPsec. n The Roaming Captive Portal feature allows you to authenticate explicitly proxied users Access From the Corporate Network Data Flow A—All requests for external web content from IP addresses behind the firewall route through the Web Security Service. B—The PAC file might include a list of sites (destinations by IP addresses) that bypass the Web Security Service. C—The PAC file script identifies the internal IP address based on the RFC 1918 standard. Direct access to the internal URL is granted. Blue Coat Web Security Service/Page 8 Access From Remote Users Data Flow—Split VPN A—The PAC file script identifies the internal IP address based on the RFC 1918 standard. Direct access to the internal URL is granted internal access through the firewall on the VPN connection. B—All requests for external web content route directly through the Web Security Service (with the exception of bypassed IP addresses listed in the PAC file). Data Flow—Full VPN C—All requests for external web content route back into the corporate firewall and then up to the Web Security Service through the gateway configuration. D—The PAC file script identifies the internal IP address based on the RFC 1918 standard. Direct access to the internal URL is granted internal access through the firewall on the VPN connection. Challenge-based Authentication (Captive Portal) To provide user authentication for this method and also make user names available in reports and for custom policy creations, enable the Captive Portal option during configuration. When enabled, Captive Portal displays a challenge dialog to users each time that they begin a new browser session (or 24 hours after the previous successful entry). Why Select This Method? n Easy to deploy for demonstration or testing purposes. n Faster access for internal users to internal URLs. About the Explicit Proxy Access Method/Page 9 n Reduces traffic to the Web Security Service by allowing web requests to internal IP addresses to go directly to the website. What Are the Limitations of This Method? n Using PAC files with an IPsec split-tunnel configuration might allow requests for non-corporate sites to bypass the Web Security Service. n Clients using IPsec with a full tunnel configuration might be allowed to bypass the Web Security Service because all traffic is routed through an external VPN. n Client IP addresses are not visible to the Web Security Service. Blue Coat Web Security Service/Page 10 Plan The Explicit Proxy Access Method Complete the forms in the following sheet (one per location). Information Network Comments Values PAC file deployment 5 Manual Browser Configuration method: 5 WPAD Standard 8080 IP address range or subnet alllowed to bypass proxy server: Proxy server location: Firewall port to open: 8080 Web Security Service PAC file URL Point all browsers to https://portal.threatpulse.com/pac this URL: Internal Web Address Are all web requests 5 Yes routed through the proxy 5 No server? VPN Tunnel Type IPsec tunnel con5 Full Tunnel figuration installed on the 5 Split Tunnel client system. Blue Coat recommends full tunnel if your VPN is not compatible with the Web Security Service. Captive Portal Enable challenge-based 5 Yes auth? 5 No Select an Explicit Proxy Method/Page 11 Select an Explicit Proxy Method The following methods are available to explicitly proxy clients to the Web Security Service. Pre-Deployment: Select Authentication Method Before configuring the explicit proxy method, Blue Coat recommends deploying a user authentication method if the purpose is for production rather than perform a quick proof of concept or demonstration. If your solution requires Captive Portal, an authentication method is required. If you are not familiar with Web Security Service authentication, consult the documentation topics in the WebGuide. Automatic Use the Web Proxy Auto-Discovery (WPAD) protocol. Manual Manually configure a web browser's proxy setting to point to the Blue Coat Proxy Automatic Configuration (PAC) file. Blue Coat Web Security Service/Page 12 Publish PAC File With WPAD Enforce the use of a Proxy Automatic Configuration (PAC) file without manual web browser configuration by using the Web Proxy Auto-Discovery (WPAD) protocol. WPAD offers two options to publish the location of the PAC file: Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS). Tips n Verify that firewall port 8080 is open. n See here for an example PAC file. DHCP Method 1. Before retrieving the first page, the web browser sends the local DHCP server a DHCPINFORM query. 2. The web browser uses the URL returned from the server to locate the PAC file. 3. If the DHCP server does not return the location of the PAC file, the DNS method is used. DNS Method 1. Change the name of the PAC file located on the web server from proxy.pac to wpad.dat. 2. The web browser searches the web server for the PAC file using URLs based using the format http://wpad.x.x.com/wpad.dat, until the proxy configuration file is found in the domain of the client. WPAD.dat is the name for the PAC file and x is a part of the domain name. Next Step Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18. Edit Browser to Explicitly Proxy/Page 13 Edit Browser to Explicitly Proxy Manually configure web browsers on client systems or a demonstration client to point to the location of the Blue Coat Proxy Automatic Configuration (PAC), which provides the route to the Web Security Service. To configure specific, supported web browsers, navigate to the following topics: n "Edit Safari Proxy Setting" on page 14 n "Edit Chrome Browser Proxy Setting" on page 15 n "Edit IE Browser Proxy Setting" on page 16 n "Edit Firefox Browser Proxy Setting" on page 17 Blue Coat Web Security Service/Page 14 Edit Safari Proxy Setting Quickly connect to the Web Security Service by manually configuring the Safari browser to point to the Blue Coat Proxy Automatic Configuration (PAC) file. 1. Select Apple menu > System Preferences. 2. Select the Internet and Network tab 3. Select an option: n If you are connected by cable to the network, select Ethernet. n If you are connected using WiFi, select the AirPort option. 4. Click Advanced. Enter the address of your PAC file in the Address field. For example, https://portal.threatpulse.com/pac. 5. Click the Proxies tab. a. Select Using a PAC file. b. Enter the Web Security Service PAC file location in the Address field:  https://portal.threatpulse.com/pac. 6. Select Quit to exit System Preferences. Verify Firewall Setting The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26. Next Step n Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18. Edit Chrome Browser Proxy Setting/Page 15 Edit Chrome Browser Proxy Setting Quickly connect to the Web Security Service by manually configuring the Chrome browser to point to the Blue Coat Proxy Automatic Configuration (PAC) file. 1. In the top-right corner of the browser, select the wrench . 2. From the drop-down list, select Options . The browser displays the Google Chrome Options dialog. 3. In the Network section, clickChange proxy settings. The browser displays the Internet Properties dialog. 4. Click the Connections tab. 5. In the Local Area Network (LAN) Settings section, click LAN settings. The Local Area Network (LAN) Settings dialog displays. a. In the Automatic configuration area, select Use automatic configuration script. b. Enter the Web Security Service PAC file location in the Address field: https://portal.threatpulse.com/pac. 6. Click OK and exit out of all open dialogs. Verify Firewall Setting The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26. Next Step n Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18. Blue Coat Web Security Service/Page 16 Edit IE Browser Proxy Setting Quickly connect to the Web Security Service by manually configuring the Internet Explorer browser to point to the Blue Coat Proxy Automatic Configuration (PAC) file. 1. Select Tools > Internet Options. 2. Select the Connections tab. 3. If you are using a VPN connection, click Add to set up the connection wizard. If you are using a LAN connection, click LAN settings 4. LAN settings dialog: a. Select Automatically detect settings and Use automatic configuration script. b. Enter the Web Security Service PAC file location in the Address field:  https://portal.threatpulse.com/pac. 5. Click OK and exit out of all open dialogs. Verify Firewall Setting The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26. Next Step n Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18. Edit Firefox Browser Proxy Setting/Page 17 Edit Firefox Browser Proxy Setting Quickly connect to the Web Security Service by manually configuring the Firefox browser to point to the Blue Coat Proxy Automatic Configuration (PAC) file. 1. Select Tools > Options. The browser displays the Options dialog. 2. Select the Advanced > Network tab. 3. In the Connections area, click Settings. 4. Configure Connection Settings: a. Select Automatic proxy configuration URL. b. Enter the Web Security Service PAC file location in the Address field:  https://portal.threatpulse.com/pac. 5. Click OK and exit out of all open dialogs. Verify Firewall Setting The gateway firewall must allow port 8080. See "Reference: Required Locations, Ports, and Protocols" on page 26. Next Step n Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 18. Blue Coat Web Security Service/Page 18 Prevent IP/Subnet From Routing to the Web Security Service Some source IP addresses or subnets do not require Blue Coat Web Security Service processing. For example, you want to exclude test networks. Configure the service to ignore these connections. Notes n The Web Security Service allows an unlimited number of bypassed IP addresses/subnets. The exception is Client Connector, which only bypasses the first 256 entries. n The setting is global; that is, it applies to every location/client in your Web Security Service account. n Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off campus and connects through a non-corporate network), the client checks against any updates to the list. Manually Add IP Addresses 1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab. 2. Click Add Bypass IP(s). The service displays a dialog. a. Enter an IP/Subnet. b. (Optional) Enter a Comment. c. (Optional) Click the + icon to add another row for another entry. d. Click Add Bypass IP(s). The new entries display in the tab view. You can edit or delete any entry from here. Prevent IP/Subnet From Routing to the Web Security Service/Page 19 Import IP Address Entries From a Saved List This procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Each entry in the file must be on its own line. 1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab. 2. Click Add Bypass IP(s). The service displays the Add Bypass IP Address/Subnet dialog. 3. Click Add Bypass IP(s). The portal displays a dialog. a. Select Import From File. b. Click Browse. The service displays the File Upload dialog. Navigate to the file location and Open it. c. Click Add Bypass IP(s). All of the new entries display in the tab view. You can edit or delete any entry from here. Blue Coat Web Security Service/Page 20 Add an Explicit Proxy Location When configuring Explicit Proxy as the access method, each gateway IP address defined in a PAC file requires an equivalent Blue Coat Web Security Service location configuration. Furthermore, you have the option to require users to enter their network credentials for each browser-type session. This allows for usernames and group information to be viewable in reports and available in custom policy choices 1. In Service Mode, select Network > Locations. 2. Click Add Location. 3. Complete the Location dialog. a. Name the location. For example, use the fixed geographical location or organization name. b. Select Explicit Proxy as the Access Method. c. Enter the IP/Subnet that forwards web traffic to the Web Security Service. d. This step is optional unless you are integrating SAML authentication. To require users to enter network credentials at each browser-type session, select Captive Portal: Enable. This option requires deployment of the Auth Connector application, which integrates with your Active Directory to provides username and group information. e. Select the Estimated User range that will be sending web requests through this gateway interface. Blue Coat uses this information to ensure proper resources. Add an Explicit Proxy Location/Page 21 f. Select a Time Zone, fill out location information, and (optional) enter comments. g. Click Save. Blue Coat Web Security Service/Page 22 Verify Service Connectivity to Locations After configuring access to the Blue CoatWeb Security Service, verify that the service is receiving and processing content requests. All Locations 1. Click the Service link (upper-right corner). 2. Select Network > Locations. 3. Verify the status of each location. Various icons represent the connection status. Icon Connection Status Description The Web Security Service recognizes the location and accepts web traffic. A location has been configured, but the Web Security Service cannot connect. Verify that the web gateway device is properly configured to route traffic. A previously successful web gateway to Web Security Service configuration is currently not connected. n n Firewall/VPN n Verify your firewall’s public gateway address. n Verify the Preshared Key (PSK) in the portal matches that of your firewall configuration. n Verify that the server authentication mode is set to PSK. Explicit Proxy n Verify the PAC file installation and deployment. n Verify that your network allows outbound requests on port 8080. n Do not attempt to use Explicit Proxy in conjunction with the Unified Agent– the client will detect that a proxy is in effect, assume a man-in-the-middle attack, and fail (open or closed depending on the settings). n Proxy Forwarding—Verify the gateway address in the forwarding host is correct. n Remote Users—Verify the Unified Agent/Client Connector installation. See the section below for more information. Additional Step For Remote Users To further verify that Unified Agent running on remote clients is communicating with the Web Security Service, click (or double-click) the application icon in the menu bar and click Status. Verify Service Connectivity to Locations/Page 23 Windows If the system detects a corporate network that provides web access and security, the Unified Agent enters into passive mode. Blue Coat Web Security Service/Page 24 Mac If the system detects a corporate network that provides web access and security, the Unified Agent enters into passive mode. Verify Client Protection From a client system that has web access (or the specific test client if so configured), browse to the following site: test.threatpulse.com The test is successful if you see the following webpage. Verify Service Connectivity to Locations/Page 25 Blue Coat Web Security Service/Page 26 Reference: Required Locations, Ports, and Protocols Depending on your configured Blue Coat Web Security Service Access Methods, some ports, protocols, and locations must be opened on your firewalls to allow connectivity to the various cloud service components and data centers. Blue Coat Resource bto.bluecoat.com HTTPS/TCP 443 Support site links to support tools and documentation. Access Methods Access Method Port(s) Protocol 199.19.250.192 Web Security Service IP addresses Firewall/VPN (IPsec) Resolves To 199.116.168.192 80/443 IPsec/ESP UDP 500 (ISAKMP) Proxy Forwarding 8080/8443 HTTP/HTTPS 8084* Port 8080 to proxy.threatpulse.net Port 8443 to proxy.threatpulse.net *Port 8084 to proxy.threatpulse.net *If this forwarding host is configured for local SSL interception. Explicit Proxy To proxy.threatpulse.net 8080 https://portal.threatpulse.com/pac Trans-Proxy 8080 (VPN Tunnel) ep.threatpulse.net resolves to the following pseudo address. 199.19.250.205 Unified Agent 443 SSL Port 443 to client.threatpulse.net Port 443 to proxy.threatpulse.net Port 443 to portal.threatpulse.net (199.19.250.192) MDM (registered iOS and Android devices) UDP 500 (ISAKMP) Roaming Captive Portal 8080 UDP 4500 (NAT-T) IPSec/ESP Reference: Required Locations, Ports, and Protocols/Page 27 Authentication Auth Method Port(s) Protocol Resolves To Auth Connector 443 SSL to auth.threatpulse.net: 199.19.250.193 199.116.168.193 portal.threatpulse.net: 199.19.250.19 Additional Required Information: Reference: Authentication IP Addresses. Auth Connector to Active Directory SAML 139,445 TCP 389 LDAP 3268 ADSI LDAP 135 Location Services 88 Kerberos 8443 Explicit and IPSec Cloud-to-Premises DLP n comm.threatpulse.com Blue Coat Web Security Service/Page 28 Reference: Sample PAC File for Explicit Proxy The following is sample text that makes up a Proxy Automatic Configuration (PAC) file from which Web browsers receive routing instructions. The PAC file redirects all non-internal traffic to the Blue Coat Web Security Service. function FindProxyForURL(url, host) { // If URL has no dots in host name, send traffic direct. if (isPlainHostName(host)) return "DIRECT"; // If specific URL needs to bypass proxy, send traffic direct. if (shExpMatch(url,"*bluecoat.com*") || shExpMatch(url,"*cacheflow.com*")) return "DIRECT"; // If IP address is internal send direct. if (isInNet(host, "10.0.0.0", "255.0.0.0") || isInNet(host, "172.16.0.0", "255.240.0.0") || isInNet(host, "192.168.0.0", "255.255.0.0") || isInNet(host, "216.52.23.0", "255.255.255.0") || isInNet(host, "127.0.0.0", "255.255.255.0") || isInNet(host, "192.41.79.240", "255.255.255.255")) return "DIRECT"; // All other traffic uses below proxies, in fail-over order. return "PROXY proxy.threatpulse.net:8080; DIRECT"; return "PROXY 199.19.250.164:8080; DIRECT"; }