ProxySG & Advanced Secure Gateway

 View Only

  • 1.  Does UDP support explicit mode or transparent mode.

    Posted Dec 16, 2022 03:10 AM
    Hello Team,

    Does UDP support explicit mode or transparent mode ?

    As per the release note UDP support/features IN SGOS 7.3.2.X and later.

    Can you suggest if its support Explicit/Transparent mode.

    Best regards,
    Shalivahan


  • 2.  RE: Does UDP support explicit mode or transparent mode.

    Broadcom Employee
    Posted Dec 19, 2022 09:03 AM

    Hi Shalivahan,

    UDP can only support transparent mode.      We are not aware of what application is using UDP so there is no way for the ultimate destination to be communicated, other than the destination address on arriving packets. As a result we transparently forward that traffic upstream.

    Thanks,

    David



    ------------------------------
    Sr. Director, ProxySG and SWG Engineering
    ------------------------------

    Original Message


  • 3.  RE: Does UDP support explicit mode or transparent mode.

    Posted Dec 21, 2022 03:36 AM
    Hello David,

    Appreciate your insightful comments.

    Thanks a Lot !
    Original Message


  • 4.  RE: Does UDP support explicit mode or transparent mode.

    Posted Feb 08, 2023 06:04 PM
    Hello David

    Lets assume, Teams traffic going through Proxy SG (not configured to by pass) and it is configured as explicit mode.
    So in that case, since teams is using UDP packets to optimize the communication, does proxy SG drop all these packets ??
    Original Message


  • 5.  RE: Does UDP support explicit mode or transparent mode.

    Broadcom Employee
    Posted Feb 09, 2023 09:12 AM
    Edited by David Stott Feb 09, 2023 09:15 AM

    Hi Fernando,

    Great question!

    The short answer is yes, UDP packets for proxied traffic that are sent directly to the ProxySG will be dropped. (The only exception for this is DNS where we do support a DNS proxy service).
    When packets arrive the ProxySG needs to decide how they should be handled.  ProxySG maintains a list of proxy and management listeners; the action taken with incoming packets is based on matches for any of these listeners. UDP-tunnel proxy services currently only support matching packets that arrive transparently (i.e. not addressed to a ProxySG IP address, which would be explicit).
    This means that all UDP packets arriving which are addressed to a ProxyG explicit address will match the "Default UDP" rule. The action taken when packets arrive for the default UDP service can be configured as 'drop', 'reject', or 'bypass'. Drop and reject clearly prevent the packet from proceeding. In the case this is set to 'bypass' the ProxySG will attempt to either IP forward or bridge any explicit UDP packets that arrive. In explicit mode because the packet is addressed to the ProxySG itself these packets cannot be forwarded or bridged and are dropped.

    There are some corner cases that walk along this use case.  I hope this helps - please feel free to reach out to Support if you have an inquiry related to your own environment.

    David


    ------------------------------
    Sr. Director, ProxySG and SWG Engineering
    ------------------------------

    Original Message


  • 6.  RE: Does UDP support explicit mode or transparent mode.

    Posted Feb 13, 2023 10:44 AM

    Dear David

    Thank you very much for the reply.

    It cleared all my doubts. Well appreciate.


    Original Message