So, the fortigate was configured based on the whitepaper you pointed
me to. The unencrypted http traffic works, but what I find is that
even though a request from the client arrives on squid via wccp, going
back it is routed via standard tcp/ip path. Is that how wccp
communication supposed to work with squid or should it come back to
the client via wccp?
Also, https traffic is not working. I am not sure if it is ssl bump
that is causing it. Can you see why it wouldn't work?
Please, note the same squid configuration works for for both http and
https proxy is explicitly specified in the browser.
Thanks again for your help.
On Thu, Jan 3, 2013 at 11:37 PM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
> Hey,
>
> I have found this:
> http://kb.fortinet.com/kb/viewContent.do?externalId=FD30096
>
> which pretty much covers what needed to be done.
>
> WCCP suppose to be a layer 2 interception which TPROXY is the closest thing
> for that.
>
> TPROXY use the same src IP of the client for outgoing traffic based on a
> client connection.
>
> You can try to configure the fortigate device and maybe try to open a ticket
> for the FORTI guys in case you dont get it right.
>
> WCCP works with most catalyst devices I have tried.
> There are other ways to intercept traffic and it's only up to the level of
> your skills and knowledge.
>
> It seems like the fortigate is the right place to integrate squid
> interception to me.
>
> I noticed that you didn't configured all squid needed directives to support
> auto WCCP service registration.
>
> Try to do it manually on the fortigate and see the results.
>
> Best regards,
> Eliezer
>
>
> On 1/4/2013 1:22 AM, Roman Gelfand wrote:
>>
>> Thanks for your help. Please, see attached configuration files and
>> topology picture.
>>
>> I am not using cisco device. I configured fortigate 50b firewall
>> wccp service using gre tunnel. In this case, I am using straight
>> transparent proxy. I have never used tproxy.
>>
>> I do have catalyst router which supports wccp2. Should I use that
>> instead of the fortigate?
>>
>> How does using tproxy instead of transparent proxy improves wccp routing?
>>
>> Thanks again
>>
>>
>> On Wed, Jan 2, 2013 at 4:39 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il>
>> wrote:
>>>
>>> Based on what you configured you cisco router? what did you configured on
>>> your cisco router?
>>> What cisco device are you using?
>>>
>>> did you had the chance to look at:
>>> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
>>>
>>> please try to share more information on the infrastructure and the whole
>>> squid.conf removing only confrontational INFO.
>>>
>>> Did you had the chance to use TPROXY before?
>>> Did you tried to sniff with tcpdump?
>>>
>>> Eliezer
>>>
>>>
>>> On 1/2/2013 3:38 AM, Roman Gelfand wrote:
>>>>
>>>>
>>>> I use wccp/gre tunnel. Port 80
>>>> requests work but 443 don't. I am not sure if this is right, but even
>>>> though data was received on wccp, no data was transmitted back over
>>>> wccp. In other words, squid server response was routed back, through
>>>> eth0 interface, rather than go through wccp0 interface. Is this
>>>> expected behavior? If not, what do I do to make
>>>> response go over wccp?
>>>>
>>>> my iptable config look like this
>>>>
>>>> iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to
>>>> 192.168.5.81:3228
>>>> iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 443 -j DNAT --to
>>>> 192.168.5.81:3229
>>>>
>>>> and squid.conf
>>>>
>>>> wccp2_service dynamic 90
>>>> wccp2_service_info 90 protocol=tcp priority=240 ports=80,443
>>>>
>>>
>
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> sip:ngtech_at_sip2sip.info
> IT consulting for Nonprofit organizations
> eliezer <at> ngtech.co.il
Received on Fri Jan 04 2013 - 14:01:36 MST
This archive was generated by hypermail 2.2.0 : Sat Jan 05 2013 - 12:00:04 MST