How do I integrate iPrism with an Upstream or Parent Proxy?

This article discusses integrating iPrism with an existing web caching server. This is often referred to as "Slaving iPrism" to a "Parent Proxy" or "Upstream Proxy", typically for performance benefits.

Note: Terminology confusion can arise when hearing the terms "Slaving iPrism" (integrating with an upstream proxy) and "Slaved iPrisms" (iPrisms that get configuration data from a single "Master" iPrism in a Central Management configuration). If you are interested in managing multiple iPrism units, rather than integrating with an upstream proxy, see How do I use Central Management?

Integration with an Upstream or Parent Proxy can be supported using Bridge (transparent) mode or Proxy mode. However, there are differences in iPrism configuration requirements, client configuration requirements, and session management that must be taken into consideration. There are 3 possible topologies:

Proxy mode iPrism (Figure 1, supports Proxy traffic only)
Bridge (transparent) mode iPrism with an In-Line Parent Proxy (Figure 2, supports Transparent or Proxy traffic)
Bridge (transparent) mode iPrism with a Standalone Parent Proxy (Figure 3, supports Proxy traffic only)

Before committing to Proxy mode or Bridge (transparent) mode, please review the Pre-Configuration Tips below.

Topology 1: Proxy mode iPrism

Topology 1 depicts a standalone iPrism (2) and Parent Proxy (3) environment.

Figure 1: Proxy mode iPrism with standalone Parent Proxy

Workstations (1) are typically configured to proxy directly to the upstream proxy server (e.g., on port 8080, for example). The HTTP traffic (regardless of port) bound for the Parent Proxy will be seen by iPrism due to its in-line placement. This traffic will be seen as Bridge (transparent) mode traffic, not Proxy traffic. This may affect session management; refer to the following articles for more information:

How do I Terminate Web Sessions?

How do I set Session Timeouts?

iPrism will see Proxy mode traffic (implying proxy mode session management)if you reconfigure client browsers to proxy to iPrism (default port 3128) rather than the Parent Proxy (port 8080 in our example).

iPrism filters Transparent or Proxy traffic. "Allowed" Transparent traffic gets to the Parent Proxy by virtue of the in-line installation of iPrism and Parent Proxy. The Parent Proxy receives requests from iPrism, performs its caching and/or proxy function, and sends retrieved data back to iPrism, which forwards it to the user.

Topology 2: Bridge (transparent) mode iPrism with in-line parent proxy

Topology 2 depicts a Parent/Upstream Proxy server (3) in-line with iPrism (2). In this diagram, Topology 2, the Parent/Upstream Proxy server acts as both a firewall and a proxy/cache server.

Figure 2: Bridge (transparent) mode iPrism with in-line parent proxy

Workstations (1) are typically configured to proxy directly to the Upstream Proxy server (e.g., on port 8080). The HTTP traffic (regardless of port) bound for the Parent Proxy will be seen by iPrism due to its in-line placement. This traffic will be seen as Bridge (transparent) mode traffic, not Proxy traffic. This may affect session management; refer to the following articles for more information:

How do I Terminate Web Sessions?

How do I set Session Timeouts?

iPrism will see Proxy mode traffic (implying proxy mode session management)if you reconfigure client browsers to proxy to iPrism (default port 3128) rather than the Parent Proxy (port 8080 in our example).
iPrism filters Transparent or Proxy traffic. "Allowed" Transparent traffic gets to the Parent Proxy by virtue of the in-line installation of iPrism and Parent Proxy. The Parent Proxy receives requests from iPrism, performs its caching and/or proxy function, and sends retrieved data back to iPrism, which forwards it to the user.

Topology 3: Bridge (transparent) mode iPrism with standalone parent proxy

Topology 3 depicts an in-line iPrism (2) in bridge mode with a standalone Parent Proxy (3).

In this topology, there are two requirements:

Clients need to proxy to iPrism.
iPrism will be "slaving" to the standalone Parent Proxy (see Slaving to the Parent Proxy below).

These are the same actions as when configuring an iPrism in proxy mode. Any "Non-In-Line" configuration requires that clients proxy to iPrism for filtering, and requires that iPrism is "slaving" to the Parent Proxy for cache hits and Internet access. It doesn't matter if the iPrism is standalone, or if the Parent Proxy is standalone, or if they are both standalone.

Figure 3: Bridge (transparent) mode iPrism with standalone Parent Proxy

Pre-Configuration Tips

Before committing to Proxy mode or Bridge (transparent) mode, please review the following:

Winsocks/Proxy Client — Because the connection between a Winsocks client and the proxy server session is encrypted, iPrism is unable to filter or forward this type of traffic.

Parent Proxy Logs/Reports — When clients proxy to iPrism first, the Parent Proxy will see all web requests originating from iPrism's IP address, and produce reports accordingly.
Authentication — Because of the traffic flow between iPrism and the Parent Proxy, you will need to either disable authentication or make an authentication exception on the Parent Proxy for iPrism.

Slaving to the Parent Proxy

An in-line iPrism (Bridge mode) processing Bridge (transparent) mode traffic (clients not proxying to iPrism) needs no configuration to see, filter, and forward traffic to an in-line Parent Proxy. The only requirement is that iPrism and the Parent Proxy be physically in-line with each other. Web requests to the Parent Proxy may as well be requests to an external web server as far as iPrism is concerned.
An in-line iPrism (Bridge mode) or standalone iPrism (Proxy mode) processing Proxy mode traffic (clients are proxying to iPrism) needs to "Slave To" the Parent Proxy so traffic is forwarded to the Parent Proxy on its port. To configure this:
- Go to System > Proxy > Parent Proxy frame, and check Slave To.
- Type the IP address or the Hostname (somedomain.com in the example below) of the Parent Proxy server. Note: It is best to use IP address instead of hostname, as hostname will not work if DNS is disabled.
- Check Disable DNS if you want to completely disable iPrism's DNS functionality. The only time you should disable DNS functionality is when iPrism is "slaved" to a Parent Proxy, since it should provide all DNS lookups.
  Note: If iPrism is configured to send administrative alerts, internal logs and/or reports via email, it will need an SMTP server entry for email exchange. iPrism will send all locally generated email to this SMTP server without attempting to contact a DNS server for name resolution.

How to specify an SMTP Relay (Email Server)

In the Port field, enter the port number for the Parent Proxy.
In Direct Connection To enter any domains for which the Parent Proxy should not be used. Instead iPrism will connect to these domains directly. This is usually reserved for Intranet domains.
Important: iPrism needs to be able to transfer Filter List database updates (nightly), as well as periodically retrieve system upgrades. If iPrism is behind a firewall (in this case the in-line Parent Proxy) where it cannot contact the Internet directly, you must configure iPrism to utilize an HTTP proxy server that is capable of connecting to the St. Bernard Software update servers. To support updates, in 'Filter List / System Update Proxy' frame, select Same as Parent Proxy radio button.

How to configure an upstream proxy

Note: You can enable and specify an upstream proxy to define anonymizer exceptions so that the upstream proxy server is not mistakenly detected as "Anonymizer".

Start the System Configuration tool.
Select the System section, then the Proxy tab.
In the iPrism Bridge Mode Configuration frame, check Enable Upstream Proxy and type the upstream proxy domain into the field.

Testing

Once the proxy server environment has been configured it is advised that you test the configuration. Generate client web traffic and check if iPrism blocks/allows web traffic per your access policy.
Reports generated via iPrisms' reporting tool should display workstation traffic that has been filtered/passed via iPrism.

FAQs

Q: I have iPrism configured for an in-line proxy environment. I can browse the web, but iPrism is not filtering my web traffic.

A: You need to set up a filter exception for the Parent Proxy.

Q: I have iPrism configured for an in-line proxy environment. I can no longer access the Internet.

A: Check the following:

Check that your proxy/cache server is configured to allow iPrism's IP address to authenticate and/or connect.
Check that the proxy port the iPrism is configured for in the "Parent Proxy" is the correct port for your proxy Upstream Proxy server. Please review your proxy/cache server documentation to determine the default proxy port.

Q: I have iPrism configured for a standalone proxy environment. I can browse the web but iPrism is not filtering my web traffic.

A: Check that your workstations' browsers are configured to proxy to iPrism.

Q: I have iPrism configured for an in-line/standalone environment. iPrism is configured to send reports out via email but the emails never arrive.

A: Check that iPrism is configured to utilize an SMTP Relay. Verify the iPrism configuration has the valid SMTP relay server's IP address entered. See the following:

How do I specify an SMTP Relay (Email Server)?

Checking iPrism Email Destinations

Q: I installed iPrism in-line with my proxy server. I am unable to connect to any HTTPS site.

A: iPrism needs to be configured to accept HTTPS traffic on the proxy port. Configure this as follows:

From the System section, select the Ports tab.
Under Proxy Mode, click Add.
In the Port field, type the proxy/cache server port number to which your workstations are currently configured to proxy. Click Ok.