Configuring Content Gateway to serve only transparent requests

You can configure Content Gateway to serve only transparent requests and prevent explicit proxy requests from being served in the following ways:

  • You can control client access to Content Gateway by specifying ranges of IP addresses that are allowed to connect to the proxy. If Content Gateway receives a request from an IP address not listed in a specified range, it discards the request. See Controlling client access to the proxy.
  • If you do not know the ranges of client IP addresses allowed to access Content Gateway, you can add rules to the ipnat.conf file on the Configure > Networking > ARM > General tab in the Content Gateway manager so that only requests that have been redirected by your Layer 4 switch or WCCP router reach the proxy port.

    To make a transparent-only Content Gateway server, add rules in the ipnat.conf file before the normal redirect service rule to redirect explicit proxy traffic to a port on which no service is listening.

    For example, if you want Content Gateway to ignore explicit HTTP requests, add rules above the normal HTTP redirect rule in the ipnat.conf file as shown below:

    rdr hme0 <ipaddress> port 80 -> <ipaddress> port <port_number> tcp

    rdr hme0 <ipaddress> port 8080 -> <ipaddress> port

    <port_number> tcp

    rdr hme0 0.0.0.0/0 port 80 -> <ipaddress> port 8080 tcp

    Here, <ipaddress> is the IP address of your Content Gateway system and

    <port_number> is a port number on which no service is listening.

    Add equivalent rules to the ipnat.conf file for each protocol service port or separate network interface to be served. After you make changes to the ipnat.conf file, you must restart the proxy.

  • If your Content Gateway system has multiple network interfaces or if you configure the Content Gateway operating system to use virtual IP addresses, you can give Content Gateway 2 IP addresses. One address must be the real address that the proxy uses to communicate with origin servers and the other a private IP address (for example 10.0.0.1) for WCCP or switch redirection. After you configure the IP addresses, you must add the following variables to the end of the records.config file. Replace <private_ipaddress> with the private IP address used for WCCP or switch redirection and <real_ipaddress> with the IP address the proxy uses to communicate with origin servers.

    LOCAL proxy.local.incoming_ip_to_bind STRING

    <private_ipaddress>

    LOCAL proxy.local.outgoing_ip_to_bind STRING

    <real_ipaddress>