09-05-2012 12:58 PM
I don't know if this is even possible, but here it goes.
I have a branch SRX210 that has 3 zones setup on it. Here's the zones:
UnTrust - ge-0/0/0.0 (ISP connection)
Trust - vlan-trust (interface ge-0/0/1.0 (end user connections)
Direct - vlan-direct (interface fe-0/0/7.0)
There's also a VPN tunnel from the device to the corporate offices. The only zone that traverses the VPN is the Trust zone. I'm looking to forward HTTP and HTTPS traffic from the Trust zone only to a proxy server on the other side of the VPN. So, any Internet based traffic coming from the branch, in the Trust zone, goes through the corporate proxy server.
I've reviewed a few notes on this and these links:
But that all looks like the proxy is local to the SRX. I need to forward the traffic down the tunnel to the corporate proxy to save the headache of having to manually enter proxy info into 1,500+ systems. That's not to mention the traveling employees that would need to turn on and off the proxy settings based on where they're at.
All help is appreciated!
09-05-2012 03:43 PM
What you are probably looking for is Filter-Based forwarding, which allows you to capture interesting traffic and forward it to a destination without having to modify your routes to send everything down the tunnel.
- Create a forwarding instance which has a default route down the tunnel
- Create a firewall filter that captures TCP port 80 and 443 traffic with an action of routing-instance routing-instance
- Apply the firewall filter as an input to your trust/vlan interface
- Import interface routes to the forwarding instance by using RIB-groups under routing-options
Take a look at the following link: http://jsrx.juniperwiki.com/index.php?title=Filter
JNCIE-SEC #69, JNCIE-ENT #492, JNCSP-SEC, JNCSP-ENT, JNCIS-SP, JNCDS-DC, JNCDS-SEC
02-26-2013 12:26 PM
Sorry for the long delay. Thanks for the feedback. I've setup a forwarding vr with a firewall filter to go to an IP address needed. I ran into an issue due to the listening port on the destination system is 8080. I'm looking up how to make that work.