Hi Folks, This is a bit long winded asking for advice regarding Internet connectivity. My Environment: * US National Network about 10,000 users. * NT W95 W98. * Semi Centralized to the East coast. * Current Internet provider GTE/BBN w/Site Patrol (Gauntlet) managed firewall. T-1. All services are proxied. All sites come to one gateway. Expensive. Internet usage here is very limited (heavy traffic though) in that I do not allow ANY inbound IP traffic except to machines in the DMZ. HTTP, HTTPS FTP are proxied. Internet usage is 99.9% web and e-mail with the sporadic FTP user. I have an MS DNS server inside set to forwarding/slave to the proxy server address. We do not do anything fancy i.e. no Internet to Internal machines. My address scheme is fully illegal, I made up numbers 12 years ago. We are gradually converting to a private 10. Network numbering structure using VLSM. My Goals: * Add two more t-1 connections to the Internet using the same ISP so I don't have to deal with BGP issues. The links will be in different sections of the country. * Provide for redundancy with the new circuits, i.e. fall over. Would really like loss of connectivity to be transparent to the user if possible. * Manage our own firewall/Proxy machines keeping in mind how limited our Internet usage is today. Now by limited I only mean in scope, not quantity, we run the T-1 at 50~75% during prime time, all WEB, 99% play, not business related. * Firewall/proxy should allow for WEB filtering. I'm aware of some of these products, Elron, and others. Preferred Environment: * Not by me but.... NT based Firewall (I probably could convince management the UNIX would be more robust if that is true). MS Proxy Server ??? does this make sense? I'm not an MS basher in the sense that if one of their products really is easy to use, cheap, and does what it is supposed to I'm all for it. * E-Mail I want to keep that way it works now, i.e. one address outside which passes to my DNS server inside where I pass it off to Exchange, Lotus or whatever. I am expecting the mail folks to talk to me about some scanning tools for incoming mail. * Proxy. Is this the only practical way to go in a very large environment? If I wanted to use NAT wouldn't that mean I'd have to have the ISP be able to provide enough addresses for x number of concurrent users? Any reason NAT is better (or worse) than proxy? I sort of understand why the company has allowed itself to become the ISP for all the employees. Most likely this is a good idea in that folks who generally wouldn't have the opportunity to become "computer literate" will now know what's going on when they hear the "web" being talked about so much. I do want to at least be able to filter out some of the more nasty sites to protect the company from harassment suits. Vendors, fell free to reply to this. I am going to talk to BBN, MCI (UUNET?), PSINET, ATT and any other world class ISP/Carriers. If anyone has had experience with large numbers of users and widely spread out sites accessing the Internet, I'd appreciate your views on sticking with a fully managed solution vs. an in-house firewall team. Thanks for your Consideration. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
