Re: site-to-site VPN for proxy sharing

2008-09-13 Thread Durf 
Proxy servers are typically not gateways, as they run on the application layer.

Give each site its own subnet and set appropriate routing, then just
set the proxy in your browser properties via GPO for your users.

--Durf

On 9/12/08, Adam Greene <[EMAIL PROTECTED]> wrote:
> Hi guys,
>
> I'm trying to connect two customer sites via a site-to-site VPN so that all
> machines at Site A can be forced to go through a proxy server at Site B to
> access the Internet.
>
> I am toying with the idea of placing both sites on the same network (i.e.
> 10.2.0.0/16) and then providing the machines at Site A with a default
> gateway of the proxy server at Site B.
>
> However, I'm not convinced that this will work. I mean, if the Site A
> machines don't use their local VPN device as their gateway, how will that
> device know to forward packets over the VPN to the proxy server at Site B?
>
> Customer doesn't want to set up static NAT entries on the VPN device at Site
> A for all the other network resources they need to access at Site B
> (Exchange, Sharepoint, and more) otherwise I think we could just leave Site
> A on a 192.168.0.0 network and NAT the proxy server at Site B to a
> 192.168.0.x. address.
>
> To complicate things further, customer has a Sonicwall TZ170 on one end and
> a Cisco PIX on the other. They are willing to change the Sonicwall to a PIX
> / ASA if that will facilitate the setup.
>
> Any ideas?
>
> Hey, you didn't all go home for the weekend, did you?
>
> --Adam
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~


-- 
--
Give a man a fish, and he'll eat for a day.
Give a fish a man, and he'll eat for weeks!

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: site-to-site VPN for proxy sharing

2008-09-13 Thread Erik Goldoff 
it would depend on the router at site A ... I'm no longer familiar with the
Sonic TZ, last worked with them about 3 years ago or so, and had a MISERABLE
experience with their support out of India.  Haven't touched one since.
 
but if you set up the site-to-site tunnel and then specify the far end
subnet via the tunnel gateway, and then use their proxy/egress as the
default gateway that should work fine, with no other rules on the site a
router to allow direct access to the cloud.

  _  

From: Ralph Smith [mailto:[EMAIL PROTECTED] 
Sent: Saturday, September 13, 2008 11:30 AM
To: NT System Admin Issues
Subject: RE: site-to-site VPN for proxy sharing



Could you deny http and https outbound traffic on the router at Site A
except over the VPN to Site B, and then set Site A machines’ web browsers to
use the proxy server at site B?

 

  _  

From: Erik Goldoff [mailto:[EMAIL PROTECTED] 
Sent: Saturday, September 13, 2008 9:16 AM
To: NT System Admin Issues
Subject: RE: site-to-site VPN for proxy sharing

 

"if the Site A machines don't use their local VPN device as their gateway"

 

why NOT use the VPN tunnel device as default gateway? sounds like that what
you want

 

  _  

From: Adam Greene [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 12, 2008 7:24 PM
To: NT System Admin Issues
Subject: site-to-site VPN for proxy sharing

Hi guys,

 

I'm trying to connect two customer sites via a site-to-site VPN so that all
machines at Site A can be forced to go through a proxy server at Site B to
access the Internet.

 

I am toying with the idea of placing both sites on the same network (i.e.
10.2.0.0/16) and then providing the machines at Site A with a default
gateway of the proxy server at Site B. 

 

However, I'm not convinced that this will work. I mean, if the Site A
machines don't use their local VPN device as their gateway, how will that
device know to forward packets over the VPN to the proxy server at Site B? 

 

Customer doesn't want to set up static NAT entries on the VPN device at Site
A for all the other network resources they need to access at Site B
(Exchange, Sharepoint, and more) otherwise I think we could just leave Site
A on a 192.168.0.0 network and NAT the proxy server at Site B to a
192.168.0.x. address. 

 

To complicate things further, customer has a Sonicwall TZ170 on one end and
a Cisco PIX on the other. They are willing to change the Sonicwall to a PIX
/ ASA if that will facilitate the setup. 

 

Any ideas? 

 

Hey, you didn't all go home for the weekend, did you?

 

--Adam

 

 

 

 

 

 

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.21/1668 - Release Date: 9/12/2008
6:56 AM

 

 

 

Confidentiality Notice:

**

This communication, including any attachments, may contain confidential
information and is intended only for the individual or entity to whom it is
addressed. Any review, dissemination, or copying of this communication by
anyone other than the intended recipient is strictly prohibited. If you are
not the intended recipient, please contact the sender by reply email, delete
and destroy all copies of the original message.



 


 

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.21/1669 - Release Date: 9/12/2008
2:18 PM



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: site-to-site VPN for proxy sharing

2008-09-13 Thread Ralph Smith 
Could you deny http and https outbound traffic on the router at Site A
except over the VPN to Site B, and then set Site A machines' web
browsers to use the proxy server at site B?

 



From: Erik Goldoff [mailto:[EMAIL PROTECTED] 
Sent: Saturday, September 13, 2008 9:16 AM
To: NT System Admin Issues
Subject: RE: site-to-site VPN for proxy sharing

 

"if the Site A machines don't use their local VPN device as their
gateway"

 

why NOT use the VPN tunnel device as default gateway? sounds like that
what you want

 



From: Adam Greene [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 12, 2008 7:24 PM
To: NT System Admin Issues
Subject: site-to-site VPN for proxy sharing

Hi guys,

 

I'm trying to connect two customer sites via a site-to-site VPN so that
all machines at Site A can be forced to go through a proxy server at
Site B to access the Internet.

 

I am toying with the idea of placing both sites on the same network
(i.e. 10.2.0.0/16) and then providing the machines at Site A with a
default gateway of the proxy server at Site B. 

 

However, I'm not convinced that this will work. I mean, if the Site A
machines don't use their local VPN device as their gateway, how will
that device know to forward packets over the VPN to the proxy server at
Site B? 

 

Customer doesn't want to set up static NAT entries on the VPN device at
Site A for all the other network resources they need to access at Site B
(Exchange, Sharepoint, and more) otherwise I think we could just leave
Site A on a 192.168.0.0 network and NAT the proxy server at Site B to a
192.168.0.x. address. 

 

To complicate things further, customer has a Sonicwall TZ170 on one end
and a Cisco PIX on the other. They are willing to change the Sonicwall
to a PIX / ASA if that will facilitate the setup. 

 

Any ideas? 

 

Hey, you didn't all go home for the weekend, did you?

 

--Adam

 

 

 

 

 

 

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.21/1668 - Release Date:
9/12/2008 6:56 AM

 

 

 

Confidentiality Notice: 

--



This communication, including any attachments, may contain confidential 
information and is intended only for the individual or entity to whom it is 
addressed. Any review, dissemination, or copying of this communication by 
anyone other than the intended recipient is strictly prohibited. If you are not 
the intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: site-to-site VPN for proxy sharing

2008-09-13 Thread Erik Goldoff 
"if the Site A machines don't use their local VPN device as their gateway"
 
why NOT use the VPN tunnel device as default gateway? sounds like that what
you want

  _  

From: Adam Greene [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 12, 2008 7:24 PM
To: NT System Admin Issues
Subject: site-to-site VPN for proxy sharing


Hi guys,
 
I'm trying to connect two customer sites via a site-to-site VPN so that all
machines at Site A can be forced to go through a proxy server at Site B to
access the Internet.
 
I am toying with the idea of placing both sites on the same network (i.e.
10.2.0.0/16) and then providing the machines at Site A with a default
gateway of the proxy server at Site B. 
 
However, I'm not convinced that this will work. I mean, if the Site A
machines don't use their local VPN device as their gateway, how will that
device know to forward packets over the VPN to the proxy server at Site B? 
 
Customer doesn't want to set up static NAT entries on the VPN device at Site
A for all the other network resources they need to access at Site B
(Exchange, Sharepoint, and more) otherwise I think we could just leave Site
A on a 192.168.0.0 network and NAT the proxy server at Site B to a
192.168.0.x. address. 
 
To complicate things further, customer has a Sonicwall TZ170 on one end and
a Cisco PIX on the other. They are willing to change the Sonicwall to a PIX
/ ASA if that will facilitate the setup. 
 
Any ideas? 
 
Hey, you didn't all go home for the weekend, did you?
 
--Adam
 
 
 


 


 

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.21/1668 - Release Date: 9/12/2008
6:56 AM



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

site-to-site VPN for proxy sharing

2008-09-12 Thread Adam Greene 
Hi guys,

I'm trying to connect two customer sites via a site-to-site VPN so that all 
machines at Site A can be forced to go through a proxy server at Site B to 
access the Internet.

I am toying with the idea of placing both sites on the same network (i.e. 
10.2.0.0/16) and then providing the machines at Site A with a default gateway 
of the proxy server at Site B. 

However, I'm not convinced that this will work. I mean, if the Site A machines 
don't use their local VPN device as their gateway, how will that device know to 
forward packets over the VPN to the proxy server at Site B? 

Customer doesn't want to set up static NAT entries on the VPN device at Site A 
for all the other network resources they need to access at Site B (Exchange, 
Sharepoint, and more) otherwise I think we could just leave Site A on a 
192.168.0.0 network and NAT the proxy server at Site B to a 192.168.0.x. 
address. 

To complicate things further, customer has a Sonicwall TZ170 on one end and a 
Cisco PIX on the other. They are willing to change the Sonicwall to a PIX / ASA 
if that will facilitate the setup. 

Any ideas? 

Hey, you didn't all go home for the weekend, did you?

--Adam



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~