Using a proxy server for CBRS connectivity

Proxy Suggestions for CBRS connectivity

We recommend against using cnMaestro on-premises as a proxy for cbrs connectivity. Normally, upgrades to cnMaestro that result in a small amount of downtime do not impact network devices under management. In the case of cbrs they do, and even a brief outage of the proxy during upgrade will result in network outages.

External proxy requirements

If you already use a forward proxy in your network, its best to use this rather than setting up a new one. Connections will be made using http CONNECT to sas.cbrs.cambiumnetworks.com, your proxy will need to allow this. A TLS intercepting proxy (like some security gateways) will break connectivity.

Squid as external proxy

The following configuration will work for an external proxy config if needed, but does not offer high-availability and may not be in line with your network standards.

## WARNING: 
## While this config may work for your use case, we encourage you to
## follow your own best practices and modify this file for
## your network.
## Tested on squid version 4.10

## This localnet ACL is not useful unless you want to use
## this proxy for anything other than a cbrs proxy.
#acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

## This cbrs ACL limits connections to sas.cbrs.cambiumnetworks.com
## only.
acl cbrs dstdomain sas.cbrs.cambiumnetworks.com

## This group blocks http CONNECT to non-standard https ports
acl SSL_Ports port 443             
acl CONNECT method CONNECT         
http_access deny CONNECT !SSL_Ports 

## Allow access only to the sas acl                            
http_access allow CONNECT cbrs
http_access deny all                               
                                                   
## We dont need any cache for proxying cbrs traffic
cache deny all

## Port config, uncomment this to change from default if needed.
#http_port 3128

HA for squid external proxy

Since a standalone proxy is a single point of failure, we recommend using an HA setup for squid. This can be done fairly simply using pacemaker or drdb.

3 Likes