Thursday, March 29, 2018

Different Proxy Settings When On/Off VPN?

Hi all! I'm running into a bit of an architectural challenge at work and I'm wondering if other engineers have faced similar issues. Like most large organizations, we use a proxy for internet traffic (we use Cisco Ironport appliances specifically). Our deployment is not completely standard however. Instead of using a proxy PAC in our browsers to actively redirect browser traffic to a proxy, we intercept all HTTP/HTTPS traffic as its heading to our internet firewall with a policy-based route (like the one below) and then send all the 80/443 traffic to the proxy and everything else around it. The key is this doesn't discriminate between web browsing in IE/Chrome/Firefox and cloud apps HTTP/HTTPS traffic like Office 365.

route-map Proxy deny 5 match ip address no-pbr route-map Proxy permit 10 match ip address web-traffic set ip next-hop 10.10.10.10 

10.10.10.10 is the proxy in this case. The access list "web-traffic" is just

10 permit tcp any any eq www 20 permit tcp any any eq 443 

This worked fine for years, but now as we are using more and more cloud-based applications like Office 365 that do not work well with a proxy, we've had to begin maintaining an absurdly large bypass list (access list no-pbr in this example) that is becoming unwieldy (and beginning to fill the TCAM on our core routers which is another story).

The reason we don't just use a proxy PAC is because to authenticate people before connecting to VPN, we allow them to go to a website where they get a secure code after putting in some credentials that they then enter into AnyConnect. So according to our security team, we can't just use a proxy PAC because it will be too difficult for users to turn it off when they get their VPN code.

I realize this may be more of a Windows question but does anyone know if there is a way to selectively use a proxy PAC so users could go to the authenticate.mycompany.com website to get their VPN auth code, but then use a browser-configured proxy for everything else so we don't have to worry about ridiculous bypass lists. In my opinion the PBR is a bad solution to this problem and there must be an application-level way to securely get people authenticated to VPN while still maintaining a proxy PAC.

Thanks!



No comments:

Post a Comment