Understanding the Transparent Bridge mode
The Transparent Bridge mode is a mode of setting up a Secure Web Gateway appliance where the browser/client is not "proxy aware" and Secure Web Gateway is installed in-line with the network.
As Secure Web Gateway is placed in the physical network path, you will not be able to make logical decisions by routing or otherwise on what traffic to send through Secure Web Gateway. All of your traffic will go through Secure Web Gateway, whether it is filtered or not.
This documentation discusses Transparent Bridge scenarios with a single Secure Web Gateway appliance, as well as with multiple Secure Web Gateway appliances, including some setup considerations. It is not meant to be a step-by-step setup guide for the Ttransparent Bridge mode, but rather to provide assistance in pre-deployment planning.
Setup Considerations
You should consider the following when setting up a Secure Web Gateway appliance in Transparent Bridge mode.
Direct Proxy vs. Transparent Deployment
The Transparent Bridge mode is often chosen because administrators do not want to have to make changes to the browser for traffic to reach Secure Web Gateway.
This is a common misconception and in reality, changes often do need to be made to browsers. In addition, transparent deployments often add more complexity and require more work on the administrator's side.
We recommend that you read Direct Proxy vs. Transparent Deployment before making a final decision to use the Transparent Bridge mode.
Port Redirects and Exceptions
The Transparent Bridge settings on Secure Web Gateway allow you to choose which ports are sent to the Secure Web Gateway proxy. Secure Web Gateway is usually configured to filter only web based traffic coming in on the default ports 80 and 443. Traffic coming in on other ports is passed on unfiltered.
Beginning with Secure Web Gateway 7.3.2, there is the option to configure exceptions, for example, exempting a particular source or destination IP address from going to the proxy. You can configure exceptions under Configuration > Appliances > <Appliance ID> > Proxies > Port Redirects. There is a comma-separated list provided for this, which must include both IP addresses and netmasks.
Finalizing the Setup
It is very important to restart your Secure Web Gateway appliance once you have configured it in Transparent Bridge mode. This will help load the proper network drivers needed for this deployment.
We strongly recommend to restart the appliance also when switching from Transparent Bridge to another mode, for example, the Direct Proxy mode. This is required if you switch to the WCCP mode.
Transparent Bridge Mode with a Single Appliance
When using Secure Web Gateway in a Transparent Bridge setup, it should be noted that it is in-line and you will be unable to get around Secure Web Gateway physically.
Secure Web Gateway allows you to choose which traffic (ports) actually get forwarded to the proxy and rule engine, but if a port is not configured to go to there, it is still going through the appliance physically since the appliance is in-line with the network.
Single Point of Failure
When considering how many Secure Web Gateway appliances you should implement within your network, we recommend utilizing more than one.
Having only one appliance introduces a single point of failure since if the appliance goes down, traffic will be interrupted. If you have at least another appliance, this other appliance can act as a failover device in the event of one of the appliances going down.
Fail-open Kit
If you are in a situation where only a single appliance in Transparent Bridge mode is possible, we highly recommend purchasing a fail-open kit.
Fail-open kits can also be useful in deployments with multiple appliances to prevent any kind of traffic disruptions.
Transparent Bridge Mode with Multiple Appliances
Using multiple appliances is the recommended option for a Transparent Bridge deployment, but there are a few things to be considered when setting this up.
When multiple Secure Web Gateway appliances are run as nodes in a Transparent Bridge setup, web traffic will be load-balanced between the nodes. The second appliance will not solely work as a failover device, it will receive and handle web traffic.
Transparent Bridge Basics (Multiple Appliances)
The following are the basics of what you need to consider for a Transparent Bridge setup with multiple appliances.
-
One Secure Web Gateway appliance is configured as "director" and responsible for load-balancing. This means it decides which of the other appliances will serve a particular request for web access when it comes in.
-
Only one appliance can be a director at a time.
-
All appliances must be able to communicate with one another for load-balancing and communicating the director status.
-
Secure Web Gateway uses the Spanning Tree Protocol (STP), which is already enabled in the operating system, to communicate the director status and provide a health check amongst other nodes. There are no configuration options needed for STP on Secure Web Gateway.
- STP cannot be enabled on any switches to which Secure Web Gateway is directly connected.
Spanning Tree Protocol (STP)
The Spanning Tree Protocol (STP) is used on most switches. The purpose of using this protocol on switches is, simply put, to find the loop in the network and shut down the port, resulting in a single path. This presents a problem with communication between the Secure Web Gateway appliances. These need to be able to communicate with one another to establish director status and assign which appliance handles a particular web request.
If STP is enabled on the switches that the appliances are directly connected to, it is highly likely that necessary ports for communication amongst them will be shut down at some point in time. Once this occurs, the appliances will no longer know about each other, which will result in each of them acting as the director node — effectively stopping all traffic.
Sample configuration: STP is enabled on the inbound and outbound switches. These are connected to the Secure Web Gateway (SWG, formerly: MWG) appliances, which are set up as nodes in Transparent Bridge mode. Ports on the switches, marked here with letters A, B, G, and H, will eventually be shut down.
Connections between appliances and switches are as follows:
-
SWG (MWG) node 1 is connected to the inbound switch on port A
-
SWG (MWG) node 1 is connected to the outbound switch on port G
- SWG (MWG) node 2 is connected to the inbound switch on port B
-
SWG (MWG) node 2 is connected to the outbound switch on port H
When STP is enabled on the switches, ports A, B, G, H are all subject to eventually being shut down on the switches. For this sample configuration, let's assume that port B was shut down.
-
From the perspective of the inbound or outbound switch, all is good, as there are no loops in the topology anymore.
- From the perspective of Secure Web Gateway, because port B has been shut down, SWG (MWG) node 1 can no longer communicate its director status to SWG (MWG) node 2 over STP. Both appliances will now take ownership and continue as director nodes. This will interrupt traffic and prevent Secure Web Gateway from filtering.
Requirements
For a Transparent Bridge deployment with multiple Secure Web Gateway appliances, you need to choose one of the following two options.
-
Option 1 — Completely disable the Spanning Tree Protocol (STP) on the switches that are directly connected to the appliances. This will allow them to communicate appropriately. If other devices are also using these switches, we recommended using Option 2.
-
Option 2 — Introduce basic switches without STP and connect the appliances to them, so STP on the inbound and outbound switches cannot interfere with the communication between the appliances.
Introducing basic switches between the core switches introduces an extra layer that will prevent required switching paths from being shut down.
Sample configuration: One basic switch sits between the Secure Web Gateway (SWG, formerly: MWG) appliances and the inbound switch. Another one sits between the appliances and the outbound switch.
Summary Checklist
Here's a summary of what was explained in the preceding sections of this documentation.
-
In a Transparent Bridge setup, Secure Web Gateway is in-line with the network. This can make administration difficult.
-
We recommend using multiple Secure Web Gateway appliances if you choose this deployment type.
-
Restart a Secure Web Gateway appliance after configuring it in and out of the Transparent Bridge mode.
- When using the Transparent Bridge mode with multiple Secure Web Gateway appliances, you must disable the Spanning Tree Protocol (STP) on switches that are directly connected to the Secure Web Gateway appliances or introduce basic switches without STP to ensure the appliances can communicate.