Certain situations require client-side or mutual authentication that might not be proxied appropriately, therefore you have to allow them to pass the firewall using a plug proxy. This situation arises most commonly in secure banking and online ordering sites that use HTTPS, or with dedicated client-server applications (such as WindowsUpdate). To maintain a list of such sites, use one of the following methods:
If the IP address of the affected servers is static, add them to a separate zone. For details, see Procedure 2.3.1, IP filtering using a zone.
Use a MatcherPolicy. Matcher policies can compare the IP address of the target server to a predefined list, and can be configured to behave differently if a match is found or not. Another example will use a domain-name-matcher policy to resolve domain names that have dynamic IPs, or change their addresses periodically (for example, they use DNS round-robin method). Matcher policies are a bit more resource intensive, but easier to use and maintain after the initial configuration. If nothing restricts it, use a matcher policy.
Use a DetectorService to select which service to start based on the traffic parameters. For details, see Section 6.7.2, Detector policies in Proxedo Network Security Suite 1.0 Administrator Guide and Procedure 6.4.4, Creating a new DetectorService in Proxedo Network Security Suite 1.0 Administrator Guide.
More sophisticated configurations using both types of whitelisting can be also implemented based on the following examples.
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
