SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
ds1602
Contributor
ds1602
Posts: 39
Registered: ‎12-22-2011
0

Using a Proxy for a Zone

Options

‎09-05-2012 12:58 PM

I don't know if this is even possible, but here it goes.

 

I have a branch SRX210 that has 3 zones setup on it. Here's the zones:

 

     UnTrust - ge-0/0/0.0 (ISP connection)

     Trust - vlan-trust (interface ge-0/0/1.0 (end user connections)

     Direct - vlan-direct (interface fe-0/0/7.0)

 

There's also a VPN tunnel from the device to the corporate offices. The only zone that traverses the VPN is the Trust zone. I'm looking to forward HTTP and HTTPS traffic from the Trust zone only to a proxy server on the other side of the VPN. So, any Internet based traffic coming from the branch, in the Trust zone, goes through the corporate proxy server.

 

I've reviewed a few notes on this and these links:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21046&cat=J6350_1&actp=LIST&smlogin=true

 

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-redirect-web-traffic-to-squid-proxy/td-p/11267...

 

But that all looks like the proxy is local to the SRX. I need to forward the traffic down the tunnel to the corporate proxy to save the headache of having to manually enter proxy info into 1,500+ systems. That's not to mention the traveling employees that would need to turn on and off the proxy settings based on where they're at.

 

All help is appreciated!

 

Message 1 of 3 (167 Views)
 
Reply
dark1587
Contributor
dark1587
Posts: 61
Registered: ‎08-01-2008
0

Re: Using a Proxy for a Zone

Options

‎09-05-2012 03:43 PM

What you are probably looking for is Filter-Based forwarding, which allows you to capture interesting traffic and forward it to a destination without having to modify your routes to send everything down the tunnel.

 

  1. Create a forwarding instance which has a default route down the tunnel
  2. Create a firewall filter that captures TCP port 80 and 443 traffic with an action of routing-instance routing-instance
  3. Apply the firewall filter as an input to your trust/vlan interface
  4. Import interface routes to the forwarding instance by using RIB-groups under routing-options

Take a look at the following link: http://jsrx.juniperwiki.com/index.php?title=Filter_Based_Forwarding

---
JNCIE-SEC #69, JNCIS-ENT, JNCIS-SSL, JNCIS-AC, JNCIA-IDP, JNCIA-WX
Message 2 of 3 (159 Views)
 
Reply
ds1602
Contributor
ds1602
Posts: 39
Registered: ‎12-22-2011
0

Re: Using a Proxy for a Zone

Options

‎02-26-2013 12:26 PM

Sorry for the long delay. Thanks for the feedback. I've setup a forwarding vr with a firewall filter to go to an IP address needed. I ran into an issue due to the listening port on the destination system is 8080. I'm looking up how to make that work.

Message 3 of 3 (55 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.