Using Policy-based Routing
Novell Cool Solutions: Tip
By Christian Schwarz
Digg This -
Posted: 17 Nov 2005
A reader asked the following question:
"While testing policy-based routing, I realized that if I enforce the use of the HTTP proxy (transparent), and I set up a policy stating that port 80 must flow through any another gateway (having multiple ISP's), the traffic always goes out through the public interface of the box regardless of the policy.
In other words, I would like to use the content engine to prohibit certain sites but route HTTP traffic through another point in the network that is NOT the public address of the box. Is there any workaround to make that happen?"
Here's the solution suggested by Christian Schwarz:
You can employ policy-based routing by using http-/SMTP-/pop3-proxy in NSM version 6.001 and later.
What is the benefit of policy-based-routing? When your company has two different connections to the Internet, e.g., a dedicated line with unlimited traffic and a DSL line with a traffic limitation, you can split your traffic. For example, you can route all HTTP traffic over the dedicated line (normally the biggest percentage of your traffic) - and route the other traffic (SMTP, POP3, etc.) over DSL.
Configuring Policy-based Routing
The following step-by-step instructions describe the configuration of policy-based-routing by simultaneously using the proxy-functionality.
1. Create your secondary Internet access, e.g., DSL. via a line established by a router in front of NSM.
2. Create the gateway IP as a host definition.
3. In NSM, access Webadmin -> Network -> Routing -> Policy-based Routing. Here's a sample for HTTP configuration:
Source: External Address (the one the default gateway is on) Source Interface: Any Destination: Any Service: HTTP Target: Gateway-IP of your secondary Interface (this may have none, because you can only define one gateway), or PPPOE-Interface-Address
4. Define a SNAT-rule to replace the internal IPs with the new target interface.
Webadmin -> Network -> NAT/Masquerading Source: external address of the primary line Destination: any Service: http Change source to: external address of the secondary interface
In the same manner you can create policy-based routing for SMTP or pop3, only the services in the definitions must be changed.
Example of DSL Routing
Here is an example that routes HTTP Proxy Traffic through a DSL connection:
PBR: Source: External Address (220.127.116.11) Source Interface: Any Destination: Any Service: HTTP Target: Your second Gateway (192.168.200.253) SNAT-Rule: Source: External Address (18.104.22.168) Destination: Any Service: HTTP Change Source to: Internal address (192.168.200.254)
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com