Having worked with a situation as Volker describes for several years, I must
agree wholeheartedly. A 2nd box is definately the answer, and the
configuration is much simpler that way as well !!
- Jason
-----Original Message-----
From: Volker Tanger [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 26, 2000 6:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW1] ms proxy server
Greetings!
> one of my customers want me to install proxy server 2.0 on his fine
working firewall.
> they need to restrict access to the internet. only special users will get
the right to access sites on the internet. all other users will get access
only to the intranet page. all users are working on a terminal server. i
know that i should use the security server with user authentication, but for
this i have to build up a second userdatabase. so my customer decided to use
ms proxy server because it is able to use the existing nt userdatabase.
>
> so, my question is: does it make sense to install proxy server on an
existing (and well functioning)
> firewall-1 4.0 machine? and what's about security after that installation?
I'd highly recommend to install the MS proxy on a different (second) machine
on the inside network for various reasons.
1.) MS Proxy is an application running on MS IIS - with all benefits (NTLM
auth) and
(security) problems it implies. Especially you will have to install
hotfixes more often (with IIS)
and close to published exploits, whicht _might_ interfere with some FW-1
stuff
2.) Simplified rule: allow HTTP only if coming from the proxy. Thus less
hassle with internal
network organization in the rules.
3.) The separate proxy can be optimized for cacheing - faster web response
and less transfer (costs).
4.) The MS Proxy comes with socks and (kind of) packet filtering (socks
proxy only?! )
which _might_ severely interfere with the FW-1 packet filtering
modules if installed
on the same machine.
5.) If installing a separate internal server, you won't have any additional
downtime.
Especially you will have to completely reinstall the FW-1 server due to
the strange
IIS installation (proper way: NT4, SP3, IE4, OP, proxy, IE5, SP6a,
Hotfixes) if you
choose to install both systems on one machine.
6.) Depending on your installation you might be able to strip all
authentication off the firewall
thus freeing resources.
In fact you wont't be able to add the proxy to the FW-1 server - instead you
will (have to) install NT and the proxy from scratch, and add the FW-1 to
the proxy later...
Bye
Volker
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
