Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG 140 reverse proxy routing help required

    Posted 08-06-2015 04:42

    I am trying to protect my webserver in the lan (192.x.x.x) for access from the internet by configuring a reverse proxy server (10.x.x.x) between the firewall and the lan.

    Any https requests that comes into to a particular interface (virtual public ip configured on firewall) will to redirected to another interface (private ip). The  incoming zone is on untrust . the proxy server interface is on trust zone. This private ip subnet will host the proxy server and its defualt gateway is configure on the ssg interface.  However i cant get this going and i cant see any requests coming through from 1 interface untrust to the proxy server interface (trusted). Can anyone point me whats needed . Do i need to specify a MIP in the private IP subnet to point to the public ip

     



  • 2.  RE: SSG 140 reverse proxy routing help required

    Posted 08-06-2015 15:33

    You have configured policy based destination NAT.  So the use of the MIP or VIP is not necessary as the translation will take place in the policy.

     

    The public address that you use for this:

     

    Is it the interface address?

    Same subnet as the interface address?

    A different subnet from the interface address?

     

    Or you can have a look at this KB article.  If you answer the questions in order you will get a specific set of instructions for your scenario.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB11910



  • 3.  RE: SSG 140 reverse proxy routing help required

    Posted 08-07-2015 01:23

    Thank you Puluka for the reply.

     

    The public address that is used for this is the registered  website address on the web.

     

    Is it the interface address?  No. It is in the same subnet as the ip address configured on the interface.

    Same subnet as the interface address?   Yes

    A different subnet from the interface address? No

     

     

     

     



  • 4.  RE: SSG 140 reverse proxy routing help required
    Best Answer

    Posted 08-07-2015 03:35

    In this case you are probably missing the proxy arp.  Add this for the public address you are using for the server.

     

    Your policy above looks correct.

     

    SSGproxyARP.png



  • 5.  RE: SSG 140 reverse proxy routing help required

    Posted 08-10-2015 04:31
      |   view attached

    Thank you Puluka for your suggestion. however I am unable to find the Proxy ARP tab under the network interfaces. Please see screenshot. Is it something related to upgrading the firmware to get the Proxy ARP functionality.

     

    Currently running:

    Firmware Version:  6.1.0r1.0 (Firewall+VPN)

      


  • 6.  RE: SSG 140 reverse proxy routing help required

    Posted 08-10-2015 15:17

    The specific proxy arp tab and options were introducted in ScreenOS 6.3 so you are probably running an earlier version.

     

    Use this general command on the CLI only instead to activate proxy-arp for NAT rules generally.

     

    set arp nat-dst