ProxySG & Advanced Secure Gateway

 View Only
  • 1.  ProxySG and Upstream Proxy: how to avoid port exhaustion?

    Posted Nov 21, 2021 07:18 AM
    this best practices papier (https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/OnPrem-0365-PDF.pdf) provides a solution for the port exhaustion problem by creating a pool of outbound IPs and recommend to add IP/VIP for every ~2000 clients. 

    Will this workaround work an environment with an upstream proxy or an upstream proxy(s) have to implement the same solution aswell?


  • 2.  RE: ProxySG and Upstream Proxy: how to avoid port exhaustion?

    Posted Nov 21, 2021 12:48 PM
    It depends what you are doing on the upstream proxies. If you are retaining the reflect IP addresses from the downstream proxies for the outbound connections and there is no other NAT, then you only need do this on the downstream ones.

    Regards
    Paul Riddington


  • 3.  RE: ProxySG and Upstream Proxy: how to avoid port exhaustion?

    Posted Nov 21, 2021 02:31 PM
    the upstream proxies don't retain the reflect IP addresses. The upstream proxies see all connections coming from outbound IP addresses of the downstream proxies. I'm not in control of the upstream proxies. There is a firewall between the last upstream proxy and the internet. If the upstream proxies have rfc1918 outbound IP addresses then is must be some kind of NAT on the firewall. If the upstream proxies have public outbound IP addresses then the traffic routed through the firewall, I assume.

    Asking differently, will Office 365 work on scale via a proxy chain? Are the same limits (described in the pdf article) applied to all L4+ devices on the route to Office 365?


  • 4.  RE: ProxySG and Upstream Proxy: how to avoid port exhaustion?
    Best Answer

    Posted Nov 22, 2021 04:03 AM
    The limits apply to the perimeter devices which make the actual connection to the MS OCS's and are controlling the egress addresses, so yes, this will also need to setup on the upstream proxies and/or firewalls.

    Paul


  • 5.  RE: ProxySG and Upstream Proxy: how to avoid port exhaustion?

    Posted Nov 22, 2021 07:53 AM
    Thank you Paul


  • 6.  RE: ProxySG and Upstream Proxy: how to avoid port exhaustion?

    Posted Nov 23, 2021 02:31 AM
    Dear all,

    the following is true both for M365 OCS or a parent proxy: The same source IP (Proxy) connects to the same destination IP (M365 or parent proxy) to the same destination port (443 or 8080). So if the proxy starts a new TCP connection the source port must be different. As per default only the top 16k ports are used by ProxySG, only 16k connections to the parent proxy or the same OCS can be established. To increase this number you have two options:

    1. Use more source ports: tcp-ip inet-lowport 1024
    2. Use more source IPs.

    For the latter you could configure more virtual IPs in ProxySG and define in the policy what source IP to use using "reflect IP".
    The more flexible way to use different source IPs is to just configure several IPs on the external interface itself (and not as virtual IP). The proxy will use these by its own discretion while setting up new connections.


    So if you are using a parent proxy configure several IPs on the internal proxy.
    If you are using MS365 or similar services where all your users connect to the same destination and you have many concurrent users, use several IPs on your external proxy or NAT device.


    Best regards, Matthias