Webwasher 6.0 Deployment Planning Guide - McAfee
Webwasher 6.0 Deployment Planning Guide - McAfee
Webwasher 6.0 Deployment Planning Guide - McAfee
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
DEPLOYMENT PLANNING GUIDE<br />
<strong>Webwasher</strong> Secure Content Management<br />
Version <strong>6.0</strong><br />
www.securecomputing.com
Part Number: 86-0946251-A<br />
All Rights Reserved, Published and Printed in Germany<br />
©2006 Secure Computing Corporation. This document may not, in whole or in part, be copied, photocopied,<br />
reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent<br />
in writing from Secure Computing Corporation. Every effort has been made to ensure the accuracy of this<br />
manual. However, Secure Computing Corporation makes no warranties with respect to this documentation<br />
and disclaims any implied warranties of merchantability and fitness for a particular purpose. Secure Computing<br />
Corporation shall not be liable for any error or for incidental or consequential damages in connection with<br />
the furnishing, performance, or use of this manual or the examples herein. The information in this document<br />
is subject to change without notice. <strong>Webwasher</strong>, MethodMix, AV PreScan, Live Reporting, Content Reporter,<br />
ContentReporter, Real-Time Classifier are all trademarks or registered trademarks of Secure Computing Corporation<br />
in Germany and/or other countries. Microsoft, Windows NT, Windows 2000 are registered trademarks<br />
of Microsoft Corporation in the United States and/or other countries. <strong>McAfee</strong> is a business unit of Network<br />
Associates, Inc. CheckPoint, OPSEC, and FireWall-1 are trademarks or registered trademarks of CheckPoint<br />
Software Technologies Ltd. or its affiliates. Sun and Solaris are trademarks or registered trademarks of Sun<br />
Microsystems, Inc. in the United States and other countries. Squid is copyrighted by the University of California,<br />
San Diego. Squid uses some code developed by others. Squid is Free Software, licensed under the<br />
terms of the GNU General Public License. NetCache is a registered trademark of Network Appliances, Inc.<br />
in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Other product<br />
names mentioned in this guide may be trademarks or registered trademarks of their respective companies<br />
and are the sole property of their respective manufacturers.<br />
Secure Computing Corporation<br />
<strong>Webwasher</strong> – A Secure Computing Brand<br />
Vattmannstrasse 3, 33100 Paderborn, Germany<br />
Phone: +49 (0) 5251 50054-0<br />
Fax: +49 (0) 5251 50054-11<br />
info@webwasher.com<br />
www.webwasher.com<br />
www.securecomputing.com<br />
European Hotline<br />
Phone: +49 (0) 5251 50054-460<br />
US Hotline<br />
Phone: +1 800 700 8328, +1 651 628 1500
Contents<br />
Chapter 1 Introduction ........................................................................................ 1– 1<br />
1.1 About This <strong>Guide</strong>........................................................................... 1– 1<br />
1.2 The <strong>Webwasher</strong> SCM Suite of Products ............................................. 1– 1<br />
1.3 How Does <strong>Webwasher</strong> Work? .......................................................... 1– 3<br />
1.4 ICAP and <strong>Webwasher</strong> .................................................................... 1– 3<br />
1.5 Integration With Other Proxies and Appliances .................................... 1– 4<br />
1.5.1 NetCache.................................................................................. 1– 4<br />
1.5.2 Blue CoatProxy Appliances........................................................... 1– 4<br />
1.5.3 Microsoft® ISA Server ................................................................... 1– 5<br />
1.5.4 Squid .......................................................................................... 1– 5<br />
1.6 Hardware Requirements ................................................................. 1– 5<br />
1.7 System Requirements .................................................................... 1– 6<br />
1.7.1 Windows...................................................................................... 1– 6<br />
1.7.2 Solaris......................................................................................... 1– 6<br />
1.7.3 Linux........................................................................................... 1– 6<br />
Chapter 2 <strong>Deployment</strong> <strong>Planning</strong> ........................................................................ 2– 1<br />
2.1 Pre-planning Questions................................................................... 2– 1<br />
Chapter 3 <strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS ................................... 3– 1<br />
3.1 <strong>Webwasher</strong> as HTTP Proxy ............................................................ 3– 1<br />
3.2 <strong>Webwasher</strong> as an ICAP Server ........................................................ 3– 3<br />
3.3 <strong>Webwasher</strong> As Next Hop Proxy ........................................................ 3– 7<br />
Chapter 4 <strong>Deployment</strong> Scenarios II — SMTP ...................................................... 4– 1<br />
4.1 <strong>Webwasher</strong> as a Relay Host ............................................................ 4– 1<br />
i
List of Figures<br />
Figure 3–1. <strong>Webwasher</strong> as HTTP Proxy ............................................................. 3– 2<br />
Figure 3–2. <strong>Webwasher</strong> as an ICAP server ......................................................... 3– 4<br />
Figure 3–3. <strong>Webwasher</strong> as an ICAP server, with another ICAP server (i.e.<br />
<strong>Webwasher</strong>) ................................................................................. 3– 5<br />
Figure 3–4. <strong>Webwasher</strong> as an ICAP Server, third-party proxy has no HTTPS<br />
filtering ........................................................................................ 3– 6<br />
Figure 3–5. <strong>Webwasher</strong> as an ICAP Server, third-party proxy receives HTTPS<br />
filtering ........................................................................................ 3– 7<br />
Figure 3–6. <strong>Webwasher</strong> as Parent Proxy ............................................................ 3– 9<br />
Figure 4–1. <strong>Webwasher</strong> as a Relay Host with one Mail Transfer Agent ..................... 4– 2<br />
Figure 4–2. <strong>Webwasher</strong> as Relay Host, multiple Mail Transfer Agents ...................... 4– 3<br />
iii
Introduction<br />
Chapter 1<br />
Thank you for considering <strong>Webwasher</strong> as your company’s Secure Content<br />
Management (SCM) solution. With a complete portfolio of high-performance<br />
Secure Content Management features, webwasher products deliver the right<br />
measures to address today’s productivity and security threats. From <strong>Webwasher</strong>’s<br />
portfolio of intelligently bundled solutions for managing, filtering, securing<br />
and reporting over all key protocols, you can find the right solution for<br />
the issues that confront your network. Positioned at the gateway, webwasher<br />
products reduce the load on mail servers and components within the network.<br />
1.1<br />
About This <strong>Guide</strong><br />
This guide has been for system administrators and/or decision makers who<br />
would like to begin planning the deployment of <strong>Webwasher</strong> in their company.<br />
It describes the various ways that <strong>Webwasher</strong> can be integrated into your existing<br />
corporate network. It will guide you and assist in making a decision about<br />
the most suitable <strong>Webwasher</strong> integration approach to take.<br />
Since all corporate networks and company goals vary in terms of their existing<br />
structure and requirements, this document has been designed only to act as a<br />
general guideline, providing a starting point as well as describing the variety of<br />
possibilities of how <strong>Webwasher</strong> could fit into your corporate network. To obtain<br />
additional assistance, please contact your local support representative.<br />
1.2<br />
The <strong>Webwasher</strong> SCM Suite of Products<br />
The <strong>Webwasher</strong> Secure Content Management Suite provides an optimal solution<br />
for all of your content security management needs. It is unique in that it offers<br />
best-of-breed security solutions for individual threats (URL Filter, Anti Malware,<br />
Anti Spam, etc.) and at the same time a fully integrated architecture that<br />
affords in-depth security and cost/time savings through interoperability. Your<br />
1–1
Introduction<br />
1–2<br />
company can rest assured that it is getting all of the corporate network protection<br />
necessary for a secure, well-managed and streamlined data exchange.<br />
<strong>Webwasher</strong><br />
URL Filter<br />
<strong>Webwasher</strong><br />
Anti-Malware<br />
<strong>Webwasher</strong><br />
Anti-Virus<br />
<strong>Webwasher</strong><br />
Anti-Spam<br />
<strong>Webwasher</strong><br />
Content<br />
Protection<br />
<strong>Webwasher</strong><br />
SSL Scanner<br />
<strong>Webwasher</strong><br />
Instant<br />
Message Filter<br />
<strong>Webwasher</strong><br />
Content<br />
Reporter<br />
<strong>Webwasher</strong> URL Filter helps you to boost productivity by<br />
reducing non-business related surfing to a minimum, curb<br />
your IT costs, and suppresses offensive sites and prevents<br />
downloads of inappropriate files, minimizing risks of legal<br />
liabilities.<br />
<strong>Webwasher</strong> Anti-Malware offers in-depth protection with its<br />
security filters, which provide rule-based filtering of potentially<br />
harmful code. Since anti virus protection on the client or group<br />
server level is no longer sufficient, gateway protection is the<br />
best insurance.<br />
<strong>Webwasher</strong> Anti-Virus offers in-depth protection with its<br />
security filters, which provide rule-based filtering of potentially<br />
harmful code. Since anti virus protection on the client or group<br />
server level is no longer sufficient, gateway protection is the<br />
best insurance.<br />
For complete protection of the central Internet gateway.<br />
<strong>Webwasher</strong> Anti-Spam’s highly accurate spam detection<br />
stems the flood of unwanted spam mail before it reaches the<br />
user’s desktop. It will not impair your systems, maintaining<br />
the availability of valuable internal mail infrastructures such<br />
as group servers.<br />
<strong>Webwasher</strong> Content Protection ensures that your systems<br />
are protected against threats transported in Web and e-mail,<br />
prevents downloads and uploads of inappropriate files, and<br />
keeps IT costs low via reduced bandwidth and storage loads.<br />
With high incidences of attacks via HTTPS, disclosure of<br />
confidential corporate data and infringements of Internet usage,<br />
<strong>Webwasher</strong> SSL Scanner helps you to protect your critical data<br />
and ensure that no one is illicitly sharing sensitive corporate<br />
materials.<br />
This is a perimeter security software solution that detects,<br />
reports and selectively blocks the unauthorized use of high-risk<br />
and evasive P2P and IM from enterprise networks. It scans<br />
network traffic for characteristics that match the corresponding<br />
protocol signatures.<br />
<strong>Webwasher</strong> Content Reporter features a library of rich,<br />
customizable reports based on built-in cache, streaming media,<br />
e-mail/activity, Internet access and content filtering queries,<br />
all supported by unmatched convenience and performance<br />
features.
1.3<br />
How Does <strong>Webwasher</strong> Work?<br />
1.4<br />
Introduction<br />
<strong>Webwasher</strong> offers a wide range of Internet filters for multiple Internet protocols.<br />
<strong>Webwasher</strong>’s ICAP platform offers a great deal of flexibility in deployment and<br />
possibilities and requirements depend on the functionality you need and the<br />
network architecture you already have.<br />
The basic principle is that <strong>Webwasher</strong> combines all filters on a centralized<br />
place called the ICAP server (cluster) and that this ICAP server receives its<br />
filtering requests from proxy servers and gateway products that route the Internet<br />
traffic through your corporation’s gateway. webwasher AG also offers<br />
some of these proxy servers and gateway products as a feature of the <strong>Webwasher</strong><br />
CSM suite and since all these features (such as ICAP server, HTTP<br />
proxy, HTTPS proxy and SMTP gateway) are shipped in a single binary, installation<br />
becomes very easy while deployment possibilities are extremely flexible.<br />
ICAP and <strong>Webwasher</strong><br />
<strong>Webwasher</strong> supports both ICAP/0.95 and ICAP/1.0.<br />
ICAP (Internet Content Adaptation Protocol) is an open and standardized protocol<br />
that can enhance ICAP-enabled proxy servers and caches (see Section<br />
1.5 for more details) to offer application services, as well as fast and reliable<br />
access to Web content. In general, ICAP increases performance and flexibility,<br />
and is the key to communication between the <strong>Webwasher</strong> ICAP server and<br />
other ICAP–enabled proxy servers and caches.<br />
1–3
Introduction<br />
1.5<br />
ICAP is usually used where either a separate HTTP proxy server or a programmable<br />
network device could serve as an alternative solution. It allows<br />
ICAP clients to pass HTTP messages to ICAP servers for “adaptation”. The<br />
server executes its transformation service on messages and sends back responses<br />
to the client, usually with modified messages. The adapted messages<br />
may be either HTTP requests or HTTP responses (see the following sections).<br />
When an ICAP client is implemented in a cache or proxy, it can use any kind<br />
of additional feature that is offered by an ICAP server running on a different<br />
machine.<br />
Its specification is published as RFC 3507.<br />
Integration With Other Proxies and Appliances<br />
1.5.1<br />
NetCache<br />
Since <strong>Webwasher</strong> takes the role as an ICAP server fully implementing RFC<br />
3507, it can be seamlessly integrated with a variety of other third-party proxies<br />
and appliances that contain ICAP client implementations. These include the<br />
Cisco Content Engine, NetCache, Blue Coat proxy appliances, Microsoft®<br />
ISA Server + <strong>Webwasher</strong>® ISA Server Plugin, and Squid (see below).<br />
Integrating the <strong>Webwasher</strong> ICAP server with any of the above-mentioned ICAP<br />
proxies and appliances is simple – <strong>Webwasher</strong> just needs to be configured as<br />
an ICAP server in your ICAP client proxy (see Section 3.2 for more information).<br />
The NetCache appliance is a scalable content-caching appliance that reduces<br />
bandwidth load and latency. Linking <strong>Webwasher</strong> to NetCache through an ICAP<br />
interface allows NetCache to cache and the filtering can be done on a separate<br />
server. For details on how to set up NetCache with ICAP, please take a look<br />
at the Setting Up NetCache With ICAP guide.<br />
1.5.2<br />
Blue CoatProxy Appliances<br />
1–4<br />
Blue Coat proxy appliances allow enterprises to deploy applications such as<br />
content filtering, Web virus scanning and Web proxy and bandwidth management,<br />
and integrate easily with existing security and network infrastructure. For<br />
more information about Blue Coat proxy appliances and ICAP setup, please<br />
take a look at the Blue Coat Web site.
Introduction<br />
To set up <strong>Webwasher</strong> with Blue Coat, please refer to the Setting Up <strong>Webwasher</strong>®<br />
with Blue Coat guide.<br />
1.5.3<br />
Microsoft® ISA Server<br />
1.5.4<br />
Squid<br />
1.6<br />
Microsoft ISA Server provides an extensible enterprise firewall and a scalable<br />
Web cache server, acting as an Internet gateway for securing connections<br />
and optimizing network performance. The <strong>Webwasher</strong> ISA Server Plugin is<br />
an ICAP client for ISA Server, enabling ISA Server to talk ICAP to the <strong>Webwasher</strong><br />
ICAP server.<br />
For details on how to set up the <strong>Webwasher</strong> ISA Server Plugin, please see the<br />
Setting Up <strong>Webwasher</strong>® on Microsoft ISA Server guide.<br />
Squid is a free Web proxy cache which runs on Unix systems. ICAP client<br />
implementation can be set up within Squid so that it can be integrated with the<br />
<strong>Webwasher</strong> ICAP server.<br />
For more information on Squid ICAP client development, please refer to our<br />
Squid page under http://www.webwasher.com/squid-icap.<br />
Hardware Requirements<br />
Hardware requirements may vary according to number of users and product<br />
feature set chosen. The minimum hardware requirements are:<br />
• Intel Pentium III 800 MHz<br />
• SunSparc 500 MHz<br />
• 512 MB memory<br />
• 180 MB disk space<br />
For NetCache ICAP server configuration, information about number of Net-<br />
Caches appropriate for described load and number of ICAP servers recommended<br />
should be obtained from Network Appliance. Please contact your<br />
local support representative for more details.<br />
1–5
Introduction<br />
1.7<br />
System Requirements<br />
1.7.1<br />
Windows<br />
1.7.2<br />
Solaris<br />
1.7.3<br />
Linux<br />
1–6<br />
<strong>Webwasher</strong> supports ICAP servers and the standalone HTTP proxy on Windows,<br />
Solaris and Linux. Please ensure that your equipment meets or exceeds<br />
the system requirements listed below:<br />
• Windows workstation<br />
• 512 MB RAM (or more)<br />
• Windows 2000, Windows NT, Windows Server 2003, Windows XP<br />
• Standard Web browser<br />
• Sun Ultra SPARC workstation<br />
• 512 MB RAM (or more)<br />
• Sun Solaris 8 or 9<br />
• Standard Web browser<br />
• Linux i586 workstation (Pentium class processor-compatible)<br />
• 512 MB RAM (or more)<br />
• Red Hat Enterprise Linux 3, SUSE LINUX Enterprise Server 8, Debian<br />
GNU/Linux 3.0<br />
• Standard Web browser
<strong>Deployment</strong> <strong>Planning</strong><br />
Chapter 2<br />
When considering deployment of <strong>Webwasher</strong>, always think about the proxy<br />
servers, gateways and the ICAP filtering server engine as building blocks for<br />
your network architecture. Due to the one binary principle, multiples of these<br />
building blocks can run in one process on one box, or one building block could<br />
on the other hand be installed several times and on multiple boxes to allow<br />
load balancing and failover strategies.<br />
2.1<br />
Pre-planning Questions<br />
The question of which proxy servers (from <strong>Webwasher</strong> or third-party) will be<br />
used and how many computers are needed for installation depend highly on<br />
these and other questions that can be discussed with your local support representative:<br />
Question Answer<br />
Which operating system do you<br />
prefer/use?<br />
What kind of existing gateway<br />
products do you use?<br />
Are you also interested in<br />
third-party ICAP services?<br />
Are you going to install a solution<br />
for one Internet protocol, or for<br />
multiple protocols?<br />
Do different users/user groups<br />
need different <strong>Webwasher</strong><br />
settings?<br />
Does this require user<br />
authentication? Please note:<br />
NTLM authentication is only<br />
available under Windows!<br />
2–1
<strong>Deployment</strong> <strong>Planning</strong><br />
2–2<br />
What building blocks should/must<br />
do the authentication?<br />
Are there other mandatory<br />
elements in your network<br />
architecture that the filtering<br />
building blocks must<br />
communicate with?<br />
What is the number of requests<br />
per second and the expected<br />
data volume?<br />
Do you have a need for<br />
load balancing, redundant<br />
components, failover strategies?<br />
Do you have experience with<br />
some of the possible third-party<br />
components?<br />
Are you going to replace an<br />
existing solution and prefer to<br />
change only a minimum in your<br />
setup?<br />
How easy should the solution<br />
scale when requirements grow?<br />
Do you prefer fewer and bigger<br />
servers or more and smaller<br />
ones?<br />
Do you like open source programs<br />
such as Squid?<br />
Do you need a caching solution?<br />
Is a proxy chain what you are<br />
looking for, or do you prefer a<br />
flexible solution such as ICAP?
Chapter 3<br />
<strong>Deployment</strong> Scenarios I — HTTP,<br />
FTP, HTTPS<br />
All of the following deployment scenarios can be advanced using third-party<br />
load balancers, as well as load balancing in ICAP.<br />
All of <strong>Webwasher</strong>’s proxy engines can run within the same binary as the filtering<br />
engine (see Figure 3–1), or on separate hardware (see Figure 3–2). In<br />
both cases, ICAP is used as the communication protocol between the parts.<br />
Important! In the case of HTTPS traffic, care has to be taken to protect<br />
the ICAP connection between the HTTPS proxy and the filtering engine. An<br />
attacker could use this connection to sniff or alter the information. We strictly<br />
recommend running the <strong>Webwasher</strong> HTTPS proxy and the <strong>Webwasher</strong> ICAP<br />
server within a protected area of your network so that neither can be accessed<br />
by outsiders nor by unauthorized insiders. Since this goal is easier to achieve<br />
for a single computer than for a network segment, we recommend running the<br />
HTTPS proxy and the filtering engine within one binary and on one computer.<br />
3.1<br />
<strong>Webwasher</strong> as HTTP Proxy<br />
In this scenario, <strong>Webwasher</strong> is acting as a proxy server. There can also be<br />
multiple of these ’standalones’.<br />
For filtering HTTPS traffic, <strong>Webwasher</strong> has to be used as a proxy server for<br />
HTTPS traffic (see Figure 3–1). If <strong>Webwasher</strong> is already used as a proxy server<br />
for HTTP data, there is usually nothing additional that needs to be done, other<br />
than to ensure that the proxy settings in your browsers are set to also proxy the<br />
“Secure” protocol to the <strong>Webwasher</strong> proxy. <strong>Webwasher</strong> uses the same proxy<br />
port as for HTTP traffic (default 9090).<br />
Advantages Disadvantages<br />
No other product is needed No caching functionality<br />
Proxy is included in the license price<br />
Easy to install<br />
3–1
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
Figure 3–1.<br />
<strong>Webwasher</strong> as HTTP Proxy<br />
3–2<br />
Canbeusedwithotherproxiesinproxy<br />
chain<br />
Offers authentication options, such as NTLM<br />
or LDAP
3.2<br />
<strong>Webwasher</strong> as an ICAP Server<br />
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
In this scenario, <strong>Webwasher</strong> takes the role as the ICAP server to a third-party<br />
proxy cache: <strong>Webwasher</strong> acts as the “Filtering Engine”, in addition to an HTTP<br />
“Gateway” or third-party ICAP client. See Section 1.5 for more details about<br />
possible third-party ICAP clients.<br />
Configuration details for NetCache can be found in the Setting Up Net-<br />
Cache With ICAP guide, and configuration details for the <strong>Webwasher</strong> ISA<br />
Server Plugin can be found in the Configuring The <strong>Webwasher</strong>® ISA<br />
Server Plugin guide. Both guides can be downloaded from the webwasher<br />
AG extranet.<br />
The optimal, high-end solution suggested by webwasher AG consists of a<br />
caching engine (such as NetCache) with one or more ICAP server systems<br />
running <strong>Webwasher</strong>.<br />
Advantages Disadvantages<br />
Eliminates proxy chaining<br />
Scalable<br />
High-performance environment<br />
Integrated load balancing<br />
(NetCache with one or more ICAP server<br />
systems running <strong>Webwasher</strong>): ICAP<br />
protocol works with previews which allows<br />
<strong>Webwasher</strong> to stop processing Web objects<br />
that will not be modified by any of the<br />
enabled <strong>Webwasher</strong> features.<br />
(NetCache with one or more ICAP server<br />
systems running <strong>Webwasher</strong>): In case the<br />
ICAP server is overloaded, a further system<br />
running <strong>Webwasher</strong> can be easily added<br />
totheservicefarm. InthiscaseNetCache<br />
provides load balancing.<br />
The work done by the cache engine and<br />
washing engine is shared<br />
3–3
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
Figure 3–2.<br />
<strong>Webwasher</strong> as an ICAP server<br />
3–4
Figure 3–3.<br />
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
<strong>Webwasher</strong> as an ICAP server, with another ICAP server (i.e. <strong>Webwasher</strong>)<br />
Note: Should <strong>Webwasher</strong> be deployed as an ICAP server that receives HTTP<br />
data from a third-party proxy or cache that includes an ICAP client, this cannot<br />
simply be extended for SSL connections. These products are currently unable<br />
to terminate the SSL connections in forwarding proxy mode, but can only tunnel<br />
the HTTPS traffic which is insufficient for filtering (with or without ICAP). The<br />
original HTTPS data has to be proxied through <strong>Webwasher</strong> on its proxy server<br />
port.<br />
If the third-party proxy server currently<br />
DOES NOT receive HTTPS traffic (i.e.<br />
browsers are using direct connections to<br />
the Internet)...<br />
If the third-party proxy server currently<br />
DOES receive HTTPS traffic and tunnels<br />
it to the Internet...<br />
...change the browser setting to proxy HTTPS<br />
connections through <strong>Webwasher</strong> (see Figure<br />
3–4).<br />
...a forwarding rule for HTTPS traffic needs to be<br />
created on the proxy server (set up <strong>Webwasher</strong><br />
as a parent/proxy cache for HTTPS) (see Figure<br />
3–5).<br />
3–5
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
Figure 3–4.<br />
<strong>Webwasher</strong> as an ICAP Server, third-party proxy has no HTTPS filtering<br />
3–6
Figure 3–5.<br />
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
<strong>Webwasher</strong> as an ICAP Server, third-party proxy receives HTTPS filtering<br />
3.3<br />
<strong>Webwasher</strong> As Next Hop Proxy<br />
In this scenario, <strong>Webwasher</strong> is acting as a next hop proxy. <strong>Webwasher</strong> is configured<br />
as the next hop proxy in the third-party proxy cache settings. Browser<br />
configuration is needed for the third-party proxy. The third-party proxy will need<br />
to have <strong>Webwasher</strong> configured as a next hop proxy.<br />
3–7
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
3–8<br />
Advantages Disadvantages<br />
Otherproxymaybeabletoperform<br />
additional authentication functions that<br />
<strong>Webwasher</strong> does not support (i.e. client<br />
certificate-based authentication).<br />
<strong>Webwasher</strong> can do policy mapping based on<br />
the client IP only (and only if sent by other<br />
proxy)
Figure 3–6.<br />
<strong>Webwasher</strong> as Parent Proxy<br />
<strong>Deployment</strong> Scenarios I — HTTP, FTP, HTTPS<br />
3–9
Chapter 4<br />
<strong>Deployment</strong> Scenarios II — SMTP<br />
4.1<br />
<strong>Webwasher</strong> as a Relay Host<br />
In this scenario, your company mail server (such as sendmail or MS Exchange)<br />
is configured to use <strong>Webwasher</strong> as a next hop gateway.<br />
You have to add a routing rule for <strong>Webwasher</strong>, or install a local DNS server and<br />
create an MX record that points to the company mail server, so that <strong>Webwasher</strong><br />
can deliver incoming messages.<br />
4–1
<strong>Deployment</strong> Scenarios II — SMTP<br />
Figure 4–1.<br />
<strong>Webwasher</strong> as a Relay Host with one Mail Transfer Agent<br />
4–2<br />
<strong>Webwasher</strong> can be configured to either forward all mails to a predefined server<br />
or to use DNS (MX records) to deliver mails. Usually you will configure <strong>Webwasher</strong><br />
to use MX records, and add routing rules for local mail delivery.<br />
The diagram below is the same as above, but with two company mail servers.<br />
When there is more than one mail server, you need to add another routing rule.<br />
For example:<br />
...@domain2 = via Mail Transfer Agent 2<br />
...@domain1 = via Mail Transfer Agent 1
Figure 4–2.<br />
<strong>Deployment</strong> Scenarios II — SMTP<br />
which says that e-mails @domain1 should go via Mail Transfer Agent 1, and<br />
e-mails @domain2 should go via Mail Transfer Agent 2.<br />
<strong>Webwasher</strong> as Relay Host, multiple Mail Transfer Agents<br />
4–3