Re: what http/https/ftp/smts proxy/relay to use on a network firewall
Ansgar -59cobalt- Wiechers wrote: On 2007-03-21 tom winter wrote: Ansgar -59cobalt- Wiechers wrote: On 2007-03-20 tom winter wrote: What exactly is a "layer 3 proxy for server publications" supposed to be? MS termiminology.. servers that have to remain inside the lan are 'published'. E.g. the intranet web server has to have AD and database connections, so it can't be moved to a dmz easily. Ah, I see, you mean connections from hosts in the DMZ into the LAN? You'll need to manually allow the ports required for the services you want to be 'published'. Personally I'd prefer to avoid something like that, though, and rather replicate the data or move the servers to a DMZ of their own, that can be accessed from both the "public" DMZ and the LAN. it's even worse: in a standard ISA setup, all layer two filtering and all Proxies are done on the same machine and all running with local system (~ root) privileges. Thanks, also thanks to Léo and Ralph Tom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what http/https/ftp/smts proxy/relay to use on a network firewall
On 2007-03-21 tom winter wrote: > Ansgar -59cobalt- Wiechers wrote: >> On 2007-03-20 tom winter wrote: >> What exactly is a "layer 3 proxy for server publications" supposed to >> be? > > MS termiminology.. servers that have to remain inside the lan are > 'published'. E.g. the intranet web server has to have AD and database > connections, so it can't be moved to a dmz easily. Ah, I see, you mean connections from hosts in the DMZ into the LAN? You'll need to manually allow the ports required for the services you want to be 'published'. Personally I'd prefer to avoid something like that, though, and rather replicate the data or move the servers to a DMZ of their own, that can be accessed from both the "public" DMZ and the LAN. >>> http proxy should be able to: >>> termination https connections (use http to internal servers) >> >> Why would you want to break https? > > Because of the necessary address translations. The connection to that > web server is secure (separate switch, switch and cables not reachable > for anyone but IT). > eg. internal link file://server/share -> erxternal ftp://server/dir > I know, this could be done by script, but i have little influence on our > web programmer. > >>> handle (s)ftp (maybe a separate component) >> >> Why would you want to break ssh? > > the original ftp server no capabilities ssl at all. i hope to add that > on the gateway. Yeah, misunderstanding on my part. AFAICS reverse proxying of both HTTP and FTP connections should be doable with Apache's mod_proxy [1]. Haven't done this myself before, though, so take it with a grain of salt. [1] http://httpd.apache.org/docs/2.0/mod/mod_proxy.html Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what http/https/ftp/smts proxy/relay to use on a network firewall
Hi Ansgar, Ansgar -59cobalt- Wiechers wrote: On 2007-03-20 tom winter wrote: ... What exactly is a "layer 3 proxy for server publications" supposed to be? MS termiminology.. servers that have to remain inside the lan are 'published'. E.g. the intranet web server has to have AD and database connections, so it can't be moved to a dmz easily. http proxy should be able to: termination https connections (use http to internal servers) Why would you want to break https? Because of the necessary address translations. The connection to that web server is secure (separate switch, switch and cables not reachable for anyone but IT). eg. internal link file://server/share -> erxternal ftp://server/dir I know, this could be done by script, but i have little influence on our web programmer. handle (s)ftp (maybe a separate component) Why would you want to break ssh? the original ftp server no capabilities ssl at all. i hope to add that on the gateway. bye, tom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what http/https/ftp/smts proxy/relay to use on a network firewall
On 2007-03-21 Léo Goehrs wrote: >> What exactly is a "layer 3 proxy for server publications" supposed to >> be? > > I Would say this is how Microsoft ISA Works. You decide what resources > you publish. I am not familiar with ISA server. Which kind of "resources" is going to be "published"? And what does that have to do with layer 3? [...] >>> handle (s)ftp (maybe a separate component) >> >> Why would you want to break ssh? > > Who is talking of ssh ? Ah, I was misreading "(s)ftp" as (ssh-)"sftp". My bad. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what http/https/ftp/smts proxy/relay to use on a network firewall
--On Dienstag, März 20, 2007 21:47:23 +0100 tom winter <[EMAIL PROTECTED]> wrote: [...] http proxy should be able to: termination https connections (use http to internal servers) [...] link translation (replace internal links from the https servers) You can do these two tasks with Apache. Just use the proxy and rewriting modules to fetch the pages from the internal servers. There is a module to rewrite internal links IIRC, but I prefer to use the canonical name for the internal servers too and access them through an alias. This way the internal servers produce the correct links right from the start without need for output filtering. Ralf Döblitz -- Ralf Döblitz asco GmbHAmtsgericht Braunschweig [EMAIL PROTECTED] Mittelweg 7 HRB 5035 Tel 0531/3906-11638106 Braunschweig Geschäftsführer Fax 0531/3906-400http://www.asco.de Jochen Grote
RE: what http/https/ftp/smts proxy/relay to use on a network firewall
>>What exactly is a "layer 3 proxy for server publications" supposed to >>be? I Would say this is how Microsoft ISA Works. You decide what resources you publish. >>> http proxy should be able to: >>> termination https connections (use http to internal servers) >>Why would you want to break https? To Decrease the load on the back end server. This is a feature of ISA. ISA is able to handle the SSL part and terminate it. >>> handle (s)ftp (maybe a separate component) >>Why would you want to break ssh? Who is talking of ssh ? Leo Goehrs
Re: what http/https/ftp/smts proxy/relay to use on a network firewall
On 2007-03-20 tom winter wrote: > i'm trying to replace an ISA server used as proxy for incoming > connections to a web and a mail server with a linux box. > The iptables part is clear, also squid as proxy for client web access... > but What can be used for layer 3 proxies for server publications? What exactly is a "layer 3 proxy for server publications" supposed to be? > http proxy should be able to: > termination https connections (use http to internal servers) Why would you want to break https? > handle (s)ftp (maybe a separate component) Why would you want to break ssh? > link translation (replace internal links from the https servers) > no chaching needed Apache can be used as a reverse proxy. > smtp relay (or proxy) should be able to > deny smtp sessoins for unknown recipients > use blacklists I'd recommend Postfix, though virtually any MTA should do. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
