On 30/10/2016 4:40 a.m., paul.greene.va wrote: > > Our firewall guy says what he's seeing in his logs is that traffic destined for > port 443, after it goes through the proxy, is trying to go straight to the > vendor over the internet, rather than go through the upstream McAfee gateway as > required, and thus, the traffic is getting dropped by the Cisco firewall. I did > a packet capture test with the McAfee gateway guy, and he confirmed that no > traffic coming from either either the WSUS or the SEPM is reaching his gateway. > > I thought this line in the squid.conf file should send traffic from our proxy to > the upstream McAfee gateway, but maybe I'm misunderstanding the intent of the > cache_peer parent parameter. > > cache_peer <McAfee Gateway IP address> parent 8080 3130 proxy-only > no-query no-netdb-exchange default login=username:password > cache_peer configures the *how* of traffic sent to that gateway. Which traffic uses it is configured by other directives (cache_peer_access, always_direct, never_direct, peer_direct, nonhierarchical_direct) and depends on the type of traffic. NP: the above also indicates the connection(s) are plain-text HTTP. If you are using interception then HTTPS traffic cannot go through that link. Since HTTPS requires end-to-end security, the cache_peer connection needs to use 'ssl' options for intercepted port 443 to use it safely. > (if placement of this cache_peer parameter matters, its currently near the end > of the squid.conf file) > > As a test, I configured internet explorer on the WSUS server to use the proxy > for internet access, Without configuring for the proxy, IE can't go anywhere > except the local network. IE can hit http websites (i.e. www.cnn.com) when it's > configured to use the proxy, but not https websites. > > The Safe_ports and SSL_ports list is the same as the squid.conf defaults. > > This is squid 3.3 running on Redhat 7. > > Any suggestions or pointers? Assuming you are using explicit/forward proxy, add this to your squid.conf: never_direct allow all if that dont work by itself you may need these as well: prefer_direct off nonhierarchical_direct off You should not have any existing lines with those directives or with always_direct. If you do the placement might matter. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
