Steve,
#After looking through most of the docs available on
#the Secure Computing site and through the archives of
#this list-serv I can't say with 100% certainty this
#arrangement will work. Can I specify that a particular
#inbound public address uses a generic proxy for TCP80 and
#TCP443, and other inbound public addresses use the WWW proxy?
#It seems that if our application were to be fed through the
#Sidewinder WWW proxy, the proxy would reject the traffic for
#not being HTTP or HTTPS. Opinions?
You will not have to worry about the proxy for 443. It is just a generic
TCP proxy. The proxy for port 80 is very strict and will reject any
non-HTTP traffic as well as badly written web pages. You have two choices
for bypassing the HTTP proxy.
1. You can disable the Secure Computing proxy and create your own generic
port 80 proxy.
2. You could create an IP filter for the sites that do not send valid HTTP
traffic and use the HTTP proxy for the sites that do use valid HTTP
traffic. This would require that the two sets of sites have different IP
addresses.
I would suggest the second choice. You would have a little less security
for the non-HTTP sites vs. the generic proxy in exchange for a lot more
security on the HTTP sites. If the same IP address needs to send both
types of traffic then the first choice is your only solution. Any HTTP
proxy that would allow you to do this on another firewall is probably no
more secure than the generic proxy on the Sidewinder so I wouldn't let that
stop you from getting a Sidewinder.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
