Lee (I'm not gonna ask about the lunchbox bit),
I use an MS Proxy server on my LAN - clients authenticate to the proxy
server (it's in the same domain), and it is seen as 1 IP address to the
firewall. NAT's not an issue here, but I have a hide rule on the IP address
of the proxy server using fwxlconf - this causes the external IP address of
the firewall to be used for all Internet transactions. A further rule allows
relevant protocols (ie http etc) from the proxy servers IP address.
Because the proxys on the LAN I can use NT groups to grant/deny permissions,
and proxy logs to keep track of users actions without the risk of allowing
NT authentication from the LAN to my DMZ.
Hope this helps,
Nick
-----Original Message-----
From: Lee (lunchbox) Hughes [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 01, 2000 2:31 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Trust me, I'm a Proxy....
Guys/Gals,
how does firewall 1 handle internal or dmz proxies. If for instance I invoke
the
dark satanic power of microsoft and implment a microsoft proxy server, how
do
I implement pass through security for such a box???
CLIENT--->HTTP PROXY---->FW-1---->Internet
so, my user's authenticate with the HTTP proxy, but how do I then pass this
through
to firewall 1, won't firewall one see the proxy as a single IP/USER?
or do I place the proxy on the DMZ network, and just let firewall-1 'route'
packets
to it??? but then I have to manage NT user authentication from the dmz to
the
internal lan??? yukky stuff? and I really want to use the http application
level
proxy of fw-1 rather than rely on nat/routing rules.
it's all very crazy and unclear,
I'd like to hear from anyone using this type of configuration.
I guess that the proxy can support 'clear text' http authentication, and
pass this through, but what about NT authentication methods, like chap?? or
even ssl? help!
Cheers,
Lee
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
