Dear all,
the following is true both for M365 OCS or a parent proxy: The same source IP (Proxy) connects to the same destination IP (M365 or parent proxy) to the same destination port (443 or 8080). So if the proxy starts a new TCP connection the source port must be different. As per default only the top 16k ports are used by ProxySG, only 16k connections to the parent proxy or the same OCS can be established. To increase this number you have two options:
1. Use more source ports:
tcp-ip inet-lowport 10242. Use more source IPs.
For the latter you could configure more virtual IPs in ProxySG and define in the policy what source IP to use using "reflect IP".
The more flexible way to use different source IPs is to just
configure several IPs on the external interface itself (and not as virtual IP). The proxy will use these by its own discretion while setting up new connections.
So if you are using a parent proxy configure several IPs on the internal proxy.
If you are using MS365 or similar services where all your users connect to the same destination and you have many concurrent users, use several IPs on your external proxy or NAT device.
Best regards, Matthias
Original Message:
Sent: 11-22-2021 07:53 AM
From: Pablo Prosto
Subject: ProxySG and Upstream Proxy: how to avoid port exhaustion?
Thank you Paul
Original Message:
Sent: 11-22-2021 04:03 AM
From: Paul Riddington
Subject: ProxySG and Upstream Proxy: how to avoid port exhaustion?
The limits apply to the perimeter devices which make the actual connection to the MS OCS's and are controlling the egress addresses, so yes, this will also need to setup on the upstream proxies and/or firewalls.
Paul
Original Message:
Sent: 11-21-2021 02:30 PM
From: Pablo Prosto
Subject: ProxySG and Upstream Proxy: how to avoid port exhaustion?
the upstream proxies don't retain the reflect IP addresses. The upstream proxies see all connections coming from outbound IP addresses of the downstream proxies. I'm not in control of the upstream proxies. There is a firewall between the last upstream proxy and the internet. If the upstream proxies have rfc1918 outbound IP addresses then is must be some kind of NAT on the firewall. If the upstream proxies have public outbound IP addresses then the traffic routed through the firewall, I assume.
Asking differently, will Office 365 work on scale via a proxy chain? Are the same limits (described in the pdf article) applied to all L4+ devices on the route to Office 365?
Original Message:
Sent: 11-21-2021 12:48 PM
From: Paul Riddington
Subject: ProxySG and Upstream Proxy: how to avoid port exhaustion?
It depends what you are doing on the upstream proxies. If you are retaining the reflect IP addresses from the downstream proxies for the outbound connections and there is no other NAT, then you only need do this on the downstream ones.
Regards
Paul Riddington
Original Message:
Sent: 11-21-2021 07:17 AM
From: Pablo Prosto
Subject: ProxySG and Upstream Proxy: how to avoid port exhaustion?
this best practices papier (https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/OnPrem-0365-PDF.pdf) provides a solution for the port exhaustion problem by creating a pool of outbound IPs and recommend to add IP/VIP for every ~2000 clients.
Will this workaround work an environment with an upstream proxy or an upstream proxy(s) have to implement the same solution aswell?