Using Artica and Juniper Netscreen as a transparent proxy

This entry was posted in Transparent mode on by

We assume you have already created a transparent port trough Artica and running ScreenOS 5.4 or later

In our example, Artica proxy use the 10.10.1.254 ip address

Juniper Netscreen configuration

Policy Based Routing (PBR) will be used to re-route traffic destined for the internet to proxy server.

Route outbound HTTP traffic from corporate LAN to an internal server.

Extended ACLs match traffic based on IP addresses and Ports.
Each ACL can contain multiple entries for different ports or addresses.

  • Create an ACL match outbound HTTP traffic from the corporate network.
set access-list extended 10 src-ip 10.10.1.0/24 dst-port 80-80 protocol tcp entry 10
  • Create an ACL so that proxy server traffic doesn’t get routed back to itself.
set access-list extended 20 src-ip 10.10.1.254/32 dst-port 80-80 protocol tcp entry 20
  • A match group is a collection of one or more Extended ACL’s, with a human-readable name.
    Create a match group named “Proxy” with an ID of 10 containing our extended ACL.
set match-group name Proxy
set match-group Proxy ext-acl 10 match-entry 10
  • Exclude systems from being routed through the proxy.
set match-group name DirectHTTP
 set match-group DirectHTTP ext-acl 20 match-entry 20
  • Action groups are a set of instructions for what some traffic should do next.
    When multiple actions are available the first is always used.
    Create an action group which routes traffic to the proxy server on internal network.
set action-group name Proxy
set action-group Proxy next-interface ethernet0/0 next-hop 10.10.1.254 action-entry 10
  • Create action group that routes traffic as it would do normally:
set action-group name DirectHTTP
set action-group DirectHTTP next-interface ethernet0/2 action-entry 10
  • A policy combines what created.
    When no policy is matched the normal routing tables are used.
    Create a new policy named “Proxy” with two entries.
    The first policy is used for direct traffic that should bypass the proxy, the second routes traffic through the proxy.
set pbr policy name Proxy
set pbr policy Proxy match-group DirectHTTP action-group DirectHTTP 10
set pbr policy Proxy match-group Proxy action-group Proxy 20
exit
  • Apply the policy so that it takes effect, apply the policy to the “Trust” interface.
set interface ethernet0/0 pbr Proxy

Used source

Leave a comment