Certain situations require client-side or mutual authentication that might not be proxied appropriately, therefore you have to allow them to pass the firewall using a plug proxy. This situation arises most commonly in secure banking and online ordering sites that use HTTPS, or with dedicated client-server applications (such as WindowsUpdate). To maintain a list of such sites, use one of the following methods:
If the IP address of the affected servers is static, add them to a separate zone. For details, see Procedure 2.3.1, IP filtering using a zone.
Use a MatcherPolicy. Matcher policies can compare the IP address of the target server to a predefined list, and can be configured to behave differently if a match is found or not. Another example will use a domain-name-matcher policy to resolve domain names that have dynamic IPs, or change their addresses periodically (for example, they use DNS round-robin method). Matcher policies are a bit more resource intensive, but easier to use and maintain after the initial configuration. If nothing restricts it, use a matcher policy.
Use a DetectorService to select which service to start based on the traffic parameters. For details, see Section 6.7.2, Detector policies in Proxedo Network Security Suite 2 Administrator Guide and Procedure 6.4.4, Creating a new DetectorService in Proxedo Network Security Suite 2 Administrator Guide.
More sophisticated configurations using both types of whitelisting can be also implemented based on the following examples.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu