Content Gateway IP spoofing

IP spoofing is sometimes used to support upstream activities that require the client IP address or a specific IP address. It also results in origin servers seeing the client or specified IP address instead of the proxy IP address (although the proxy IP address can be a specified IP address; more below).

Content Gateway IP spoofing support has the following features and restrictions:

  • IP spoofing is supported for HTTP and HTTPS traffic only.
  • When IP spoofing is enabled, it is applied to both HTTP and HTTPS. It cannot be configured for only one protocol.
  • HTTPS traffic is spoofed whether SSL support is enabled or not.
  • IP spoofing relies on the ARM.
  • In transparent proxy deployments using WCCP and IP spoofing, with GRE or L2 mode negotiation, neither HASH nor MASK are supported on the source port or source port/source IP address.
  • IP spoofing is not supported with edge devices such as a Cisco ASA or PIX firewall. When this is attempted, requests made by Content Gateway using the client IP address are looped back to Content Gateway.
  • IP spoofing requires all IP addresses in the same routing path use the same format. That is, all IP addresses must be either IPv6 or IPv4. A combination of IPv6 and IPv4 addresses is not supported.
Warning:

Deploying IP spoofing requires precise control of the routing paths on your network, overriding the normal routing process for traffic running on TCP port 80 and 443. When configured with either transparent or explicit proxy, return traffic must be routed back to the proxy.

For assistance, please contact your network equipment vendor or Technical Support.

With IP spoofing enabled, traditional debugging tools such as traceroute and ping have limited utility.

Important: For a discussion of how the proxy kernel routing table impacts transparent proxy deployment, see the Solution Center article titled, Web sites in the Static or Dynamic bypass list fail to connect.