June 22, 2010
If iPrism has not yet been software configured and you simply want to enable Bridge (transparent) mode operation, see the 2nd screen shot below.
If iPrism has been configured in Proxy mode (typically for testing and evaluation purposes) and you wish to switch to Bridge (transparent) mode (for further evaluation or operational use), then consider the following:
It is recommended that configuration changes in support of Bridge (transparent) mode be made before physically moving iPrism to another locale (network). The idea is to re-configure prior to shutting down and moving the appliance. Moving iPrism before re-configuring could result in loss of connectivity due to incorrect IP address assignments carried into the new locale, thus slowing down your ability to re-configure and deploy, see:
How do I correctly power-off an iPrism?
Bridge mode installation supports both Bridge (transparent) mode & Proxy mode traffic. Bridge (transparent) mode is intended to primarily support Bridge (transparent) mode traffic management like Kernel-Level filtering, but will happily support Proxy mode traffic as well. In fact, using Transparent and Proxy simultaneously solves specific issues (see link below). Note that users configured to proxy directly to iPrism will still be using Proxy mode traffic management until their browsers are re-configured to not proxy to iPrism; then they will be operating in Bridge (transparent) mode. In other words, these users are still using the authentication, auto-login, & profiling options specified on the proxy row of each network, until "un-proxied.". To learn more, see:
iPrism Mixed-Mode Traffic Filtering
Bridge (Transparent) Mode vs. Proxy Mode
When switching from proxy to bridge, assuming you will be re-configuring most if not all users to operate in Bridge (transparent) mode, you will need to ensure your defined networks have appropriate authentication, auto-login, & profiling options set. These settings may be the same, similar, or different from existing proxy mode settings depending on the nature of the existing setup, and what goals you are trying to achieve.
Note that Bridge (transparent) mode requires a correct outward pointing Default-Route (using External interface) and correct inward pointing Static-Route(s) (using Internal interface) to avoid "routing loops" and to provide efficient traffic handling. The diagram depicts correct configuration. Common mistakes include:
Setting an inward pointing Default-Route creating a deadly embrace with an internal core router (routing loop)
Not configuring Static-Routes resulting in failed web page display for clients outside the iPrism subnet. For example, lack of Static-Routes prevents iPrism from sending ”r;block” pages to clients.
For more explanation on routing loops, see Routing Tips for Bridge (transparent) mode
Note that If iPrism will be physically moved to a new location (i.e., new network or subnet), you will likely need to re-configure the Internal Interface IP address (circled in screen shot below). The Default Route (circled in screen shot below) will probably need to be changed as well. For example, if your default route is an internal router and you move iPrism just in front of the perimeter Router/Firewall on the way to the Internet, you need to set the default route to the IP address of the perimeter Router/Firewall. This ensures outbound Internet requests get to the Internet as intended.
Additionally, since you are now "in-line", you need to configure one or more Static Routes (to reach internal subnets) using the Advanced button (circled in screen shot below) so iPrism knows where to send inbound traffic. Note that the Default-Route/External Interface is for outbound Internet traffic, and that the Static-Route/Internal Interface is for return inbound traffic as well as traffic originating from iPrism, such as "block notifications" for users. For example, without at least one valid Static Route, iPrism will send "block notifications" to the Default Route, thus the user never see's the notification! Adding a Static Route may be as simple as entering the IP address of the core router connected to the Internal Interface, but it depends on network topology, see:
How do I add Subnet Static-Routes for Bridge (transparent) mode?
To enable Bridge (transparent) mode, go to Appliance Manager > System Configuration > System >Networking > External Interface (highlighted below):
Check Bridge (shown below)
Make sure Mode is auto detect (shown below)
If you are physically moving iPrism, you may now perform a shutdown/power off, move to the new location, connect the Internal and External Interface cables, and boot up iPrism.
How do I correctly power off an iPrism?
Browse to an allowed site to prove Internet access. Browse to a blocked site to prove filtering. Continue to test web filtering for configured networks and make configuration changes as needed. Ensure user web sessions are being terminated appropriately, see:
How do I Terminate Web Sessions?
Add all Networks to be filtered, including assigned Profiles (filtering/reporting/real-time monitoring by IP address).
Configure needed Proxy mode and Bridge (transparent) mode Authentication methods for all networks.
Assign existing or new Profiles to User Groups (filtering/reporting/real-time monitoring by Username).
If you will be moving iPrism to a new network, set the new Internal Interface IP address and new Default-Route to the Internet Gateway device to support outbound URL requests.
Add one or more Static-Routes to the internal core routing device to support inbound traffic. You may now enable Bridge (transparent) mode.
Shut down/Power off iPrism and physically relocate for Bridge (transparent) mode operation if necessary.
Connect the Internal Interface to an appropriate internal core router. Connect the External Interface to the Internet Gateway device (outbound firewall/router).
Power up iPrism. Browse to an allowed site to verify Internet access. Browse to a blocked site to verify Internet filtering is working properly. Continue to test Internet filtering for configured networks and make configuration changes as needed.
Configure Session Timeout options to ensure accurate profiling.
"Un-proxy" any proxied users who should now use Bridge (transparent) mode.