WARNING - Most of the following is incorrect!
[Feb-2019] So it turns out that the below won't have the desired effect you want; it'll treat 3x Servers, each running a differing Service (1x SSH, 1x RDP and 1x SOCKS) act as if they are all able to serve all 3x Services, which means any given Service will need to be retried three timers, until it round-robins to the correct 1x Server running the <Service> you wanted to get to.
Don't use the Forwarding Group unless all Forwarding Hosts in that Group all run the same TCP Services, or you'll find 66% of your traffic disappears.
BlueCoat Advanced Secure Gateway
The BlueCoat ASG are a series of Proxy Appliances, sold by Symantec and commonly used for a combination of Proxy Types, such as:
- Forward Proxy
- HTTP/S Web Proxy to Internet
- SOCKS Proxy to Internet
- Reverse Proxy
- ActiveSync Proxy to Microsoft Exchange
- Oracle OAM Proxy to Oracle Authentication
Once you get past the fact that the Admin Panel runs Java (eww), they aren't bad boxes to configure and use; but if you're coming at these from a Networking background, be warned - everything is split-out into a different section, and not much is where you'd expect it to be.
My Scenario was using the Virtual IP (VIP) functionality, to offload some Reverse Proxy functionality to a downstream Appliance; which sits behind the BlueCoat to allow it to (in future) perform some DPI and other bits and pieces. I needed to create one VIP Address, but have it forward three TCP Ports/Services:
- SOCKS (Running on TCP/80)
- SSH (TCP/22)
- RDP (TCP/3389)
The Proxy VIP (BlueCoat VIP) is 10.99.99.99.
The Downstream Proxy Real IP (BlueCoat Forwards/NATs to) is 10.98.1.2.
Coming from a Networking background, my mind went to NAT, VIPs and Load Balancer Groups; but BlueCoat doesn't play ball that way.
Elements to Configure
The following sections of the Admin Panel/BlueCoat Configuration need to be modified to achieve this:
- Proxy Services
- Forwarding Hosts
- Forwarding Host Groups
- Visual Policy Manager (Forwarding Layer)
So let's crack on.
- From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Services -> Proxy Services
- Add your "Custom Service Groups" (mine is called "CustomGroup")
- Add your SOCKS/SSH/RDP Service Group elements, under the "Custom Service Groups" section
- Set these to "Intercept", and Source to "All" (or specific Downstream User Subnets, which should be able to access the VIP)
- Click "Apply" (bottom-right) when done
- From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Forwarding-> Forwarding Hosts
- Add your "Forwarding Hosts", one per TCP Service you want to listen to (I have three)
- Within each Forwarding Host, set the "Type" to "Server", and specify the relevant "TCP:" port you want to use
- Click "Apply" (bottom-right) when done
Forwarding Hosts Groups
- From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Forwarding-> Forwarding Hosts -> Forwarding Groups
- Define a custom Group Alias (mine is "Custom-Group") to use as the Group container for the three Forwarding Hosts you input
- Add your Custom Hosts to the Custom Group:
Visual Policy Manager (Forwarding Layer)
- From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Policy -> Visual Policy Manager -> Launch
- Within "Forwarding Layer", add an entry using your VIP Address (10.99.99.99), with a colon (:) after, and "Any" Service
- Tie this to a new Action called "Action-CustomGroup"
- Edit "Action-CustomGroup" to relate to the Forwarding Host Group you specified earlier (Custom-Group), and "Deny the request" if the Forwarding Host (i.e. all TCP Ports within that Group) aren't available
- Within VPM, apply the policy to the BlueCoat ASG - navigate to File -> Install Policy on SG Appliance
- Party on down, we're done!
Wrapping it up
BlueCoat ASG will quite happily let you specify a collection of individual Forwarding Hosts, each with an individual TCP Port; and the VPM will then let you specify these multiple individual Forwarding Hosts - but it won't actually VIP Forward the traffic, and will fail miserably.
The above seems to be the "BlueCoat Way" of doing this, and definitely works.