Sorry if I've missed something in my previous explanation. Anyway we don't want the Checkpoint act as a Proxy, but it should forward the http request to the ISA Server located outside the LAN. How we must configure the FW1 in order to forward the http request to the Proxy ISA Server? The Websense Reporter is installed on the same websense server. Maybe in future we will choose to use the Websense filtering on the ISA Server but for now we would try the forwarding proxy option in NG. Thanks alot!
Denni -----Messaggio originale----- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Inviato: luned� 7 ottobre 2002 20.27 A: [EMAIL PROTECTED] Oggetto: Re: [FW-1] Websense and FW1 Nokia Let me try and understand exactly what you are attempting to do. First, you have the FireWall set to pass it's traffic through an ISA Server, or is the ISA Server on a DMZ and you are expecting the users to proxy to that device for Web access? Is the FireWall set to pass the Web traffic using a proxied connection or using the SecureNAT option on the ISA Server? I suspect based on the error that you are reporting that the FireWall is set to proxy to the ISA Server for Web traffic. That being said, the error really has nothing to do with Websense, but more with how the FireWall is configured. When you enable the rule on the FireWall to filter traffic through Websense, the Web traffic then passes through the HTTP Security Server. The error that you are receiving is from the HTTP Security Server. If you have configured your browsers to proxy to a server outside of the FireWall using port 80, the FireWall will try and intercept the request, and fail because it is not the destination proxy server. So, there are two immediate options that I can see to solve this issue, and it will depend on how you want your traffic to flow, as well as what reporting options you want to have occur. One option is to not use proxied traffic at all for your internal browsers, setting the FireWall to send the Web requests to Websense for evaluation, and then have the FireWall point to the ISA Server (either by proxy or by SecureNAT) for the outbound Web traffic. If you are planning on using Websense Reporter and trying to identify specific user names, you would have to rely on the Websense Server components to identify the users. I have not tested the forwarding proxy option in NG, so I don't know how well it will work, but it wasn't all that great in v4.1 for Web traffic. Another option is to use Websense filtering on the ISA Server and then set the client browsers to proxy to the ISA Server. The FireWall would then be set to pass Web traffic on through to only the ISA server from your internal clients. In this case, if you wished to use Websense Reporter to report on specific users, if the ISA Server has access to the internal user database, either it or the Websense Server components can be used to track your users Web access. I'm sure that there are a number of other options that can be accomplished as well, if we understand what specifically you are attempting to do. Thank you. -----Original Message----- From: Denni Ugolotti [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 12:55 AM To: [EMAIL PROTECTED] Subject: [FW-1] Websense and FW1 Nokia Hello all! We have a problem about websense version 4.4 and Checkpoint FW1 NG FP1, on a Nokia IP530 IPSO ver. 3.4.2. The problem is the following: We have this topology: Internal LAN (websense +hosts)---FW1-----(Proxy ISA Server)--->Internet Router---> We have configured the FW1 as the manual said, the configuration seems to be ok, but when we try to get out (the WEB) with the web browser (proxy configured) we get a strange message from FW1, the message from the log is: Rejected: reasonRequest to proxy other than the next proxy resource http://www.xyz.xx We have tried to bypass the proxy using the web browser only to get on the WEB, and it works! Why if we use the proxy (ISA Server) the things get worse???? Thanks to all who respond! Andrea & Denni ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
