[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall-1 and MS Proxy Configuration

To: "'sirving@ca.ibm.com'" <sirving@ca.ibm.com>, Dean Cunningham <DeanC@wairc.govt.nz>
Subject: RE: [FW1] Firewall-1 and MS Proxy Configuration
From: Anchises Moraes Guimaraes de Paula <AMoraes@americel.com.br>
Date: Wed, 1 Sep 1999 21:01:20 -0300
Cc: 'Pranadjaja' <Prana@mii.metrodata.co.id>, "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@lists.us.checkpoint.com>

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]



I prefer having my proxy server inside my corporate network.

By doing that I get the following advantages:

	- all my internal users are authenticated and logged in my M$ proxy
server
	- my proxy server is protected against the bad guys over the
internet
	- my Firewall-1 does not have to handle all my HTTP traffic, just
the ones filtered by my proxy

As I have a DHCP server and I do not do any authentication in my FW-1, if I
try to log their internet access using my Firewall , I would get just their
IP (which can change if the user keep its computer turned off enought time).
Moreover, logging with a M$ proxy server I“m getting the users“ username,
which help us a lot.

Regards,

> Anchises  M. G. de Paula
> AMERICEL
> I.T. - Coordenador de Sistemas de Seguranēa
> email: amoraes@americel.com.br
> Fone: 061 329 6698
> 
> 
> -----Original Message-----
> From:	sirving@ca.ibm.com [SMTP:sirving@ca.ibm.com]
> Sent:	Wednesday, September 01, 1999 12:00 PM
> To:	Dean Cunningham
> Cc:	'Pranadjaja'; 'fw-1-mailinglist@lists.us.checkpoint.com'
> Subject:	RE: [FW1] Firewall-1 and MS Proxy Configuration
> 
> 
> 
> 
> I would go with the following
> internal ---------------------fw-1 ----------------------------router
> -------------Internet
>                                                  |
>                                                  |
>                                            Proxy
> 
> Sure this will mean a little more traffic for the firewall to handle when
> a page
> isn't cached but it protects the proxy a little better and also gives
> flexability of when and who has to use the proxy etc.
> 
> 
> Dean Cunningham <DeanC@wairc.govt.nz> on 08/31/99 01:36:26 AM
> 
> Please respond to Dean Cunningham <DeanC@wairc.govt.nz>
> 
> To:   "'Pranadjaja'" <Prana@mii.metrodata.co.id>
> cc:   "'fw-1-mailinglist@lists.us.checkpoint.com'"
>       <fw-1-mailinglist@lists.us.checkpoint.com>
> Subject:  RE: [FW1] Firewall-1 and MS Proxy Configuration
> 
> 
> 
> 
> 
> 
> FWIW
> 
> I'd punt for this,
> --------------Firewall-1---------------Router -----Internet
>                          |
>                       Proxy Server
> 
> This is your only option if you want to use firewall as your security
> authority.
> Set up the router to allow calls inititated from the proxy server out
> but not the other way around.
> 
> Chris what hole has been blown in the firewall??
> 
> cheers
> deanc
> 
> 
> -----Original Message-----
> From: Pranadjaja [mailto:Prana@mii.metrodata.co.id]
> Sent: Tuesday, August 31, 1999 4:42 PM
> To: 'Tim Mcmanus'; Pranadjaja
> Cc: fw-1-mailinglist@lists.us.checkpoint.com
> Subject: RE: [FW1] Firewall-1 and MS Proxy Configuration
> 
> 
> 
> 
> >> We don't use NT domain. We want all users connecting to the internet to
> be maintained in Firewall database. So, we use HTTP authentication
> server of
> Firewall-1. MS Proxy will be used only as caching proxy, not dealing
> with
> security matters.
> >> So, authentication based on NT domain user account is not an option.
> Our
> environment consists of UNIX and Windows 96/98 boxes.
> 
> So, once again, I want to ask which configuration should I use :
> 
> Internal Net
> ---------------Firewall-1----Router----Internet
>     |
> Proxy Server
> 
> or
> 
> --------------Firewall-1---------------Router -----Internet
>                          |
>                       Proxy Server
> 
> Someone has suggested to use configuration like this :
> 
> internal network
> ***************************************************
> This e-mail is  not an  official  statement of  the
> Waikato  Regional  Council unless otherwise stated.
> ***************************************************
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
> 
> 
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Question about Web Access
Next by Date: RE: [FW1] Blocking Internet Access for specific IPs
Prev by thread: RE: [FW1] Firewall-1 and MS Proxy Configuration
Next by thread: RE: [FW1] Firewall-1 and MS Proxy Configuration
Index(es):
- Date
- Thread