Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] RE : [FW-1] Checkpoint and reverse proxy

from Chanoine [Permanent Link]
Subject: [FW-1] RE : [FW-1] Checkpoint and reverse proxy
From: Chanoine <yannick.chanoine AT CLAMART DOT FR>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 27 Jan 2005 14:52:09 +0100 
Thanks alot, works just as I wanted.

Yannick

-----Original Message-----
From: Michael J. Semaniuk [mailto:mike AT SEMANIUK DOT COM]
Sent: Wednesday, January 26, 2005 7:34 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Checkpoint and reverse proxy


You could probably use the http_mapped service to redirect the incoming
port 80 traffic to the ISA server's IP address, but I have never sniffed
the traffic to see if the http request is flipped to an IP address or
not.  The service definition is pretty simple.  When you open
http_mapped, go to Advanced.  THe SRV_REDIRECT match is set to look for
the original port, then the IP you are redirecting to, then the
destination port.  So you would make that look like (80,ISA_IP,80).

It would probably be simplest though to put the ISA server on a valid IP
network and just allow incoming http to it.  Then the firewall should
not modify the packet at all and the ISA server should see the original
request.

-Mike
----- Original Message -----
From: "Chanoine" <yannick.chanoine AT CLAMART DOT FR>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Wednesday, January 26, 2005 12:52 PM
Subject: [FW-1] Checkpoint and reverse proxy


> Hello,
>
> I'm hosting several websites for specific users.
> I created as many public domain names as I needed.
> My first problem is that I don't have one IP for one website. So
> xxx.domain.com refers to 10.10.10.10 and so does yyy.domain.com.
>
> I wan't checkpoint NG55 AI to route the incoming packets on an ISA
> server which acts as a reverse proxy. ISA is useful for publishing
> multiple websites with only one IP for example, as it is able to
> redirect requests to web servers using the destination domain name.
>
> In the checkpoint security ruleset I created a rule that allows
> incoming traffic from any user to IP 10.10.10.10 on HTTP protocol. In
> the NAT ruleset I defined the rule like this :
> Original packet   ------------------------   translated packet
> Any -> 10.10.10.10 -> http --- any -> ISA server (static) -> http
>
> I use ethereal on the ISA server to monitor incoming packets and see
> why the redirection fails. In fact the original packet is adressed to
> a certain domain name, for instance xxx.domain.com
> When it arrives to the ISA external IP, the destination is no longer
the
> domain name but 10.10.10.10
>
> The problem is that ISA server needs the domain name or isn't able to
> redirect HTTP requests.
>
> Do you know a method to keep the properties of the original packet in
> the translated packet?
>
>
> Thank you!
>
> Yannick Chanoine
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] RE : [FW-1] Checkpoint and reverse proxy, Chanoine
Next by Date:  Re: [FW-1] Checkpoint and reverse proxy, Hendriks, Dion-ben
Previous by Thread:  [FW-1] RE : [FW-1] Checkpoint and reverse proxy, Chanoine
Next by Thread:  [FW-1] Cleaning up old log files, Sahli, Mike
Indexes:  [Date] [Thread] [Top] [All Lists]