Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Fireware/HTTP Proxy
This document applies to: Appliance Appliance Software versions Management Software versions Firebox X Core / Firebox X Core e-Series / Firebox X Peak / Firebox X Peak e-Series FIreware 8.3 / Fireware Pro 8.3 WatchGuard System Manager 8.3
Introduction
If the computers on your network use Microsoft Windows, it is important to have the most recent Windows updates for this operating system. It can be a problem for Firebox X Core or Peak users to get Windows updates through the Firebox if they use the HTTP proxy. If you used the Quick Setup Wizard to configure your Firebox and have not changed your basic configuration, the HTTP Proxy that is configured within the Outgoing proxy is active. Frequently, the HTTP proxy blocks the Windows update files from going through the Firebox to your Windows computers. The proxy can block the files for one or more of these reasons: The proxy can prevent your computer from sending information about itself to the Microsoft update server. The proxy can block cookies from the Windows update site. The proxy can block undefined body content types. Windows update servers identify the content they deliver to a computer as a generic binary stream(such as octet stream), which is blocked by default proxy rules.
Make sure the proxy action selected is for HTTP client connections. Click the Edit icon to open the proxy ruleset configuration.
The HTTP Proxy Action Configuration dialog box appears.
4 5
Expand the proxy ruleset category list and make all the changes shown below. When you make these changes, make sure that, if the ruleset offers an Advanced View, you use the Advanced View to make the changes. Use the Change View button to move between Simple View and Advanced View. Note that it is not always possible to go back to Simple View after you create rules in Advanced View. See the WSM User Guide, Proxies chapter for more information about configuring rules for proxies. In the General Settings category, select the check box Allow range requests through unmodified. In the HTTP Request category, select URL Paths. Make sure there is not a Deny rule for .exe files, .zip files, or .cab files. Each of these file types must be allowed. These files do not appear in a list by default. You must also make sure the URL Paths Default rule action is set to Allow.
If there is a deny rule for any of these file types, change the Action drop-down list for each rule to Allow.
6 7 8
In the HTTP Request category, select Header Fields. Make sure that the Referer rule is not enabled. In the HTTP Response category, select Header Fields. Select the Default rule that appears at the bottom of the list and click Edit. From the Action drop-down list, select Allow and click OK. In the HTTP Response category, select Content Types. Select the check box to the left of Allow (None) so that HTTP Responses that have no content type are allowed.
From the HTTP Response, Content Types Advanced View, click Add.
The New Content Rule dialog box appears.
10 Make sure all of these content types appear in the list as allowed content types. If any of these content types have not been added or allowed, enter them one at a time. Make sure the rule setting for each rule is set to Exact Match. - application/octet-stream - application/x-javascript - application/x-msdownload - multipart/byteranges 11 In the HTTP Response category, select Cookies and click Change View. Make sure the default is set to Allow. 12 In the HTTP Response category, select Body Content Types. Change Zip Archive, Windows EXE/DLL, and CAB archive to Allow.
If you use the Gateway AntiVirus/IPS service, you can set the action to take for each of these rules to AV Scan, instead of Allow.
13 Click OK to close all proxy dialog boxes. 14 Save your changes to the Firebox.
For example, you will type: nslookup windowsupdate.microsoft.com to get the IP address for the domain windowsupdate.microsoft.com.
In Policy Manager, you must create an HTTP packet filter or proxy policy that allows traffic from Any Trusted to the IP addresses of the Windows Update servers. You can add the IP addresses you found when you used nslookup as described above. Or, you can have Policy Manager do the domain name lookup for you by selecting Host Name (perform Lookup) from the Choose Type drop-down list when you configure the To parameters of the policy. Remember to update the packet filter with new IP addresses at least one time each month.
SUPPORT:
COPYRIGHT 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of www.watchguard.com/support WatchGuard Technologies, Inc. in the United States and/or other countries. U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456