This article explains how to configure various popular firewalls (Juniper, SonicWALL, Check Point, and Cisco ASA) to transparently redirect HTTP traffic over port 80 to the iSheriff Cloud Web Security.
HTTPS/SSL is not supported for transparent proxy redirect and hence port 443 cannot be redirected. It is mandatory to login to the iSheriff Cloud Console and add/authorize all external addresses assigned to your firewall under Filter Management > Web Filter > Setup > Source IP Address before configuring your firewall. The IP addresses are authorized by the iSheriff Cloud Security Team within a reasonable time. Alternatively, you can write to email@example.com to request for faster authorization.
Disclaimer: The information contained in this proposal is for informational purposes only and proprietary to iSheriff unless otherwise noted. While iSheriff has taken the greatest care to ensure the accuracy of all information in this document, iSheriff is not liable for any inaccuracies or reliance on the information provided herein.
Use the following instructions to configure a Juniper Firewall running firmware version 5.4 or higher and ScreenOS to send web traffic to the iSheriff Cloud Web Proxy over
1. Select Policy > Policies to create a new firewall policy. The current list of rules is displayed.
2. At the top of the page:
In the From drop-down list, select Trust
In the To drop-down list, select Untrust.
3. Click New.
4. Enter a Name for the new policy.
5. For the Source Address, either select Address Book Entry and choose a predefined address range from the drop-down list or select New Address and define the internal network address range.
6. For the Destination Address, select Address Book Entry and choose Any from the drop-down list.
7. Enable Logging to monitor the traffic and troubleshoot any issues in the future.
8. In the Service drop-down list, select HTTP.
9. Click Advanced.
10. Check the Destination Translation box.
11. Resolve the DNS name proxy.online.isheriff.com to the IP address of the iSheriff Cluster closest to your location by using nslookup on a workstation behind the Juniper Firewall being configured:
$ nslookup proxy.online.isheriff.com
Name: sf.web.isheriff.com #Closest iSheriff Cluster
Address: 220.127.116.11 #IP address resolving to the closest iSheriff cluster
12. In the Translate to IP field, enter the IP address returned from the step 11 and specify port 8082.
13. Click OK and test to ensure forwarding is working properly.
Use the following instructions to configure web proxy forwarding on a SonicWALL firewall to send web traffic to the iSheriff Cloud Web Proxy over port 8082.
1. Select Network > Web Proxy. The Automatic Proxy Forwarding (Web Only) page is displayed.
2. In the Proxy Web Server (name or IP address) field, enter proxy.online.isheriff.com.
3. In the Proxy Web Server Port field, enter 8082.
4. If you want SonicWALL to send web traffic directly to the Internet in the event that the iSheriff Cloud Web Proxy is unavailable, check the Bypass Proxy Servers Upon Proxy Server Failure box.
5. Click Apply and test to ensure forwarding is working properly.
Configuring Check Point:
Use the following instructions to configure web proxy forwarding in the Check Point Firewall to send web traffic to the iSheriff Cloud Web Proxy over port 8082.
1. To create a new firewall rule, go to the dashboard and select Network Objects from the left pane. The current rules are displayed in the right pane.
2. Find the rule with the service http_mapped and click the rule to open it. The Other Service Properties window is displayed.
3. In the Name field, double-click http_mapped. This opens the Advanced Other Service Properties window.
4. In the Match field, enter the iSheriff Cloud Web Proxy IP address for your closest datacenter cluster. To locate closest datacenter cluster, see step 11 under Configuring Juniper. Change the second port number in the field to 8082. The field should now be in the following format: SRV_REDIRECT(80,<IP ADDRESS>,8082)
5. Check the Accept Replies box.
6. Check the Match for ‘Any’ box.
7. Click OK to return to the dashboard.
8. Check that the following rule settings are defined for the http_mapped service:
VPN: Any Traffic
9. Test to ensure forwarding is work properly.
Configuring Cisco ASA:
Use the following instructions to configure a Cisco ASA version 8.3 or higher firewall to send web traffic to the iSheriff Cloud Web Proxy over port 8082.
1. Set up Service Objects to match TCP traffic going from all available ports to ports 8082:
hostname(config)# object service http-original
hostname(config-service-object)# service tcp source range 1
65535 destination eq www
hostname(config-service-object)# description http-original
hostname(config)# object service http-redirect
hostname(config-service-object)# service tcp source range 1
65535 destination eq 8082
hostname(config-service-object)# description http-redirect
2. Create a Network Object to match the source traffic that should be filtered by the iSheriff Cloud Web Proxy:
hostname(config)# object network Filtered-Web-Addresses
hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0
Use the subnet addresses that apply to your organization.
3. Create a Network Object to match the destination address of the iSheriff Cloud Proxy. See step 11 under Configuring Juniper to learn how to locate the closest iSheriff Web Security Cluster.
hostname(config)# object network iSheriff-Proxy
hostname(config-network-object)# host <closest iSheriff Web Security Cluster IP address>
hostname(config-network-object)# description iSheriff-Proxy
4. Using the Object and Network Services you have set up, create Network Address Translation (NAT) rules in your firewall to send web traffic from your internal addresses to the cloud service. We recommend two rules: one for internal IP addresses and another for your guest wireless network if needed.
The NAT statements for these rules are as follows:
nat (inside,outside) source dynamic any interface destination static Filtered-Web-Addresses iSheriff-Proxy service http-original http-redirect inactive
nat (guest-wireless,outside) source dynamic any interface destination static Filtered-Web-Addresses iSheriff-Proxy service http-original http-redirect inactive
The screenshot below shows how the first of these statements is defined in the Cisco ASDM interface.
For more information on configuring NAT in Cisco ASA, see the Cisco documentation available here.