Implement ATS Tproxy in current situation

[Nguyen Hai Nam <na...@nd24.net>]

Hi,

I'm new to ATS, I'm running an ATS box for testing and feel amazing
with the performance of ATS. So I'd like to setup an ATS in real
network environment.

Here is a simple image of my network:
http://a9tm.files.wordpress.com/2011/10/lan.png

It's in WORKGROUP network, the direction is R0 and R1 used to connect
to branches (subnet of 10.0.0.0/8), R1 is default gateway then there
are two routes: R0 for Local and R2 for Internet.

The issue is in R2, it's multi-services router that supplies IPsec
terminal, VoIP, DHCP server, ...

I'd like to place an ATS Tproxy in front of R2 to monitor Internet
traffic from LAN, include filtering ...

My current testing ATS server is working fine, but I'll have to
re-configure proxy setting in everything PCs in the office. It's so
crazy when I have hundred PCs. So, I'll have my own responsibiilities
to make the users' web experiences smoothly and securely. I think
you'll understand the situation.

Now I hope you guru guys help me the ideas, or guides for my ATS configuration.

Thanks,

--
Best regards,
Hai Nam, Nguyen

Re: Implement ATS Tproxy in current situation

[Nguyen Hai Nam <na...@nd24.net>]

> That box before R2 is not a router I suppose..?
>
> Why not put ATS *behind* R2, or rather in the DMZ, and route everything
> that goes to port 80 and 443 through ATS? -- That's sort of the
> definition of "transparent" proxy. It's transparent to the client
> because you don't have to touch those.
Hi,

I'm following the idea that change the route 0.0.0.0/0 on R1 to ATS, on 
ATS I've wrote an iptables DNAT rule which forward traffic has 
destination port 80 to ATS:8080.

I'm reading old documentation of Traffic Server that describe about L4 
switch or WCCP2, but both of them are expensive to implement (esp. L4 
switch) and my routers don't support WCCP2.

After I route the Internet traffic to ATS, my feeling is it's not fast 
enough compare when configure proxy settings on browser. I still don't 
know the reason why, but I guess it's caused by iptables. Here are my 
rules, it's very appreciated if you or somebody correct for me:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.7:8080

iptables -A FORWARD -p tcp -o eth0 -d 10.0.0.7 --dport 80 -m state 
--state NEW -j ACCEPT

Thanks,
~Neddy

Re: Implement ATS Tproxy in current situation

[Igor Galić <i....@brainsware.org>]

----- Original Message -----
> Hi,
> 
> I'm new to ATS, I'm running an ATS box for testing and feel amazing
> with the performance of ATS. So I'd like to setup an ATS in real
> network environment.
> 
> Here is a simple image of my network:
> http://a9tm.files.wordpress.com/2011/10/lan.png
> 
> It's in WORKGROUP network, the direction is R0 and R1 used to connect
> to branches (subnet of 10.0.0.0/8), R1 is default gateway then there
> are two routes: R0 for Local and R2 for Internet.
> 
> The issue is in R2, it's multi-services router that supplies IPsec
> terminal, VoIP, DHCP server, ...
> 
> I'd like to place an ATS Tproxy in front of R2 to monitor Internet
> traffic from LAN, include filtering ...

That box before R2 is not a router I suppose..?

> My current testing ATS server is working fine, but I'll have to
> re-configure proxy setting in everything PCs in the office. It's so
> crazy when I have hundred PCs. So, I'll have my own responsibiilities
> to make the users' web experiences smoothly and securely. I think
> you'll understand the situation.
> 
> Now I hope you guru guys help me the ideas, or guides for my ATS
> configuration.


Why not put ATS *behind* R2, or rather in the DMZ, and route everything
that goes to port 80 and 443 through ATS? -- That's sort of the
definition of "transparent" proxy. It's transparent to the client
because you don't have to touch those.

> Thanks,
> 
> --
> Best regards,
> Hai Nam, Nguyen

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 571B 8B8A FC97 266D BDA3  EF6F 43AD 80A4 5779 3257