Re: Should proxy have one interface or two

Gleb,

I would like to explain what I think are the possible reasons with
help of below scenarios

1) Internet ----- (public interface)---- Proxy ---- (internal
interface)-------LAN

The public interface of proxy would have a public IP . The internal
IPs can be PATed/NATed to this interface's IP or can have a diferrent
IP in the same public segment ( as that of pub int.). However the
internal lan would mostly have private IP subnet. So, two different
subnets , one for public internet and other for private lan. And so we
would need one IP from each segment on the Proxy device. The
interfaces can be virtual or physical. Both the subnets(public n
private) cannot be/should not be a part of same subnet because it will
defeat the purpose of a proxy and we are bound to have routing
complications.

2) If we would still go ahead and have a single interface the setup
will look like below where the Lan & public subnet are in the same
subnet. So, Lan IPs would have public IPs !!! But you would have
still have routing issue ( explained in point 4)

Internet ------ (public and private subnet )---Proxy.

3) You can say that we can add a router /L3 device in between like
below.The router will take care of NAT/PAT.

Internet ------ (pub int)----RTR ------- Proxy
|
Lan

In this set up the router will have three interfaces. One to internet(
which does SNAT) , Proxy and Lan. The lan's PCs would have proxy
configured in their browser. When the lan wants to go on internet via
the proxy , the router will have to send this to proxy's IP ( so the
router need to have default gateway pointing to proxy). Now once the
proxy receives and processes this, it would send it back to the router
to go to the internet because proxy's default gateway is router.
However, the router has default gateway pointing to the proxy !!! The
packet will loop between proxy and the router and will never traverse
outside because router has to send all the traffic to the proxy for
processing and the proxy has to send the processed traffic to internet
via the router. Please note, the router would also need a default
route pointing to the internet gateway !!! So the traffic from Lan
would never make it to internet via such 'one arm routing' on proxy
set up.

4) The above scenario will work if we configure separate VRFs on
router, one VRF for LAN , other for proxy and third global routing
table. So, we have pushed the need of two interface from proxy to the
router (with help of VRF) !

Since we are humans , we can apply all sort of knowledge and still get
it working with proxy having one interface.However, this will
complicate rest of the network and increase the cost of the solution
as we would need additional devices.Additionally, it will also make
the troubleshooting complicated for the network administrators in case
of issue.

Simplest solution is to have two interface on the proxy !!! ;-)

Hope this will help to understand.Let me know if you have any questions.

Thanks,
Aditya Govind Mukadam



On Fri, Jul 11, 2008 at 5:39 PM, Gleb Paharenko <gpaharenko@xxxxxxxxx> wrote:
Hi, list.

In many network designs web proxy server has two interfaces. One is
for internal clients, second is outgoing interface for proxy.
Why it is not use one interface both for incoming requests from users
and for outgoing requests from proxy? Of course this interface should
be in separate subnet with firewalled control on it and it should be
SNATed as well. Hope I clearly describe my question, of why it is
better to
have two interfaces in different subnets for web-proxy.


--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko


Relevant Pages

  • Re: Internet Access problems in Fedora Core 4
    ... using the raw ip was to factor out DNS from the troubleshooting. ... set right or your card's interface isn't setup right. ... nameserver <proxy if proxy does dns to you or isp's dns> ... PING 64.233.179.99 56bytes of data. ...
    (comp.os.linux.misc)
  • RE: Should proxy have one interface or two
    ... In our enterprise we use Microsoft ISA 2006 as proxy only to grant users ... the Internet itself is based upon Cisco ASA which does NAT to outside world ... Should proxy have one interface or two ...
    (Security-Basics)
  • Re: Should proxy have one interface or two
    ... any default route pointing to the proxy. ... So the traffic should flow like Lan requests page from google, ... The router has this IPin its ARP table and will forward it to ... that the proxy server has to be protected by some internet firewall ...
    (Security-Basics)
  • Wireless User Authentication using Linux?
    ... My network consists of a 802.11b wireless D-Link router connected to the ... DHCP to access the Internet. ... What I'd like to do is have each one of those clients login before gaining ... The linux box sits as a proxy between the router and the Internet. ...
    (comp.os.linux.networking)
  • Re: Should proxy have one interface or two
    ... Dual firewall will help you grant access to public resource/client and limit ... Vérificateur interne en sécurité de l'information ... A Proxy is a device that takes a connexion, filters it and sends it to the ... That's why you have 2 interface, to prevent the bypassing of the proxy, to ...
    (Security-Basics)