Greetings!
> one of my customers want me to install proxy server 2.0 on his fine working firewall.
> they need to restrict access to the internet. only special users will get the right
>to access sites on the internet. all other users will get access only to the intranet
>page. all users are working on a terminal server. i know that i should use the
>security server with user authentication, but for this i have to build up a second
>userdatabase. so my customer decided to use ms proxy server because it is able to use
>the existing nt userdatabase.
>
> so, my question is: does it make sense to install proxy server on an existing (and
>well functioning)
> firewall-1 4.0 machine? and what's about security after that installation?
I'd highly recommend to install the MS proxy on a different (second) machine on the
inside network for various reasons.
1.) MS Proxy is an application running on MS IIS - with all benefits (NTLM auth) and
(security) problems it implies. Especially you will have to install hotfixes more
often (with IIS)
and close to published exploits, whicht _might_ interfere with some FW-1 stuff
2.) Simplified rule: allow HTTP only if coming from the proxy. Thus less hassle with
internal
network organization in the rules.
3.) The separate proxy can be optimized for cacheing - faster web response and less
transfer (costs).
4.) The MS Proxy comes with socks and (kind of) packet filtering (socks proxy only?! )
which _might_ severely interfere with the FW-1 packet filtering modules if
installed
on the same machine.
5.) If installing a separate internal server, you won't have any additional downtime.
Especially you will have to completely reinstall the FW-1 server due to the strange
IIS installation (proper way: NT4, SP3, IE4, OP, proxy, IE5, SP6a, Hotfixes) if
you
choose to install both systems on one machine.
6.) Depending on your installation you might be able to strip all authentication off
the firewall
thus freeing resources.
In fact you wont't be able to add the proxy to the FW-1 server - instead you will
(have to) install NT and the proxy from scratch, and add the FW-1 to the proxy later...
Bye
Volker
begin:vcard
n:Tanger;Volker
tel;fax:+49 - 69 - 92901-213
tel;work:+49 - 69 - 92901-570
x-mozilla-html:FALSE
url:http://www.res.globalone.net/
org:Global One;Global Project Engineering
version:2.1
email;internet:[EMAIL PROTECTED]
title:Sr. Security Engineer
adr;quoted-printable:;;Stiftstrasse 23=0D=0A;Frankfurt;;60313;Germany
note;quoted-printable:Room 608=0D=0A
fn:Volker Tanger
end:vcard
