SRX

Hi there,

I was wondering if it is possible to have all traffic forwards to a specific isp for a typical dual-ISP scenario, say all query send to www.google.com goes to isp1.

Thanks in advance,

Bob

Hello,

Nice idea but difficult to implement without proxy servers.

Let me explain:

1/ HTTP GET request comes after 3-way TCP handshake. So, the intercepting node (router, firewall or proxy server) must locally terminate TCP 3-way HS and wait for HTTP GET request.

2/ There may be other HTTP requests before GET, so intercepting node must respond to them them locally as well.

3/ HTTP GET request might span a few packets (in case URL is huge) therefore intercepting node must reassemble TCP segments as well.

4/ if HTTP response is a redirect to another URL which may be either HTTP or HTTPS, then the intercepting node must listen to HTTP responses as well, or terminate ensuing SSL handshake to find out what is the new URL

I am not aware of any Juniper product which supports such functionality. You may wish to try installing a HTTP/HTTPS proxy server, freeware or commercial.

HTH

Thanks
Alex 

thanks Alex,

We have MS ISA server as proxy server in place, but to the Juniper gw, proxy server is just like any other direct connected clients. It seems to be difficult to divert any clients request to google.com through ISP1.

It is really good to try to find solution out of the box though.

Cheers,

Bob

If only a few limited URLS, then maybe you could just translate the url to IP and create a firewal filter to match  those address and then routing instance ISP1. 

Hi lyndidon,

Thanks for your reply.

Sounds like a good idea that you have. However, FBF is based on client IP rather than destination IP, right?

Wonder if you have any configuration sample to the solution.

Thanks and Regards,

Bob

I would test it like this:

family inet {
      filter redirect-google {
           term R1 {
                   from {
                        destination-address {
                               74.125.239.5/32;
                               74.125.239.1/32;
                        }
                    }
                    then {
                         routing-instance vrname;
                    }
             }
        }
}

term else-accept

then 

 accept

The other think I am thinking is, since your proxy server is responsible for web request, you could try this: If I understand it, your DNS server will send web request to the Proxy and all web request will be sourced from the proxy, is that the case?

family inet {
      filter redirect-google {
           term R1 {
                   from {
                        source-address {
                               proxy_server_ip/32;
                        }
                    }
                    then {
                         routing-instance vrname;
                    }
             }
        }
}

term else-accept

then 

 accept

Hi lyndidon,

Thank you very much for the sample script.

Modified the configuration, all works well.

Cheers,

Bob

Nice. we try to help out as much as we. That is what we are here for. I too lear a lot from these forums. it also forces my brain to remember things I do not use very often and to look up those I have forgotten.