Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Using HTTP Proxies

from Elsen Marc [Permanent Link]
Subject: Re: [FW-1] Using HTTP Proxies
From: Elsen Marc <elsen AT IMEC DOT BE>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 31 Mar 2005 08:47:16 +0200 
>
> Good day to all.
>
> I was looking into Firewall-1 as I am in need of configuring it to use
> an external HTTP Proxy. Here is my topology:
>
> 1) FW1 NG with several HTTP rules
> 2) Clients are NOT configured to use FW1 as proxy (as matter of fact
> they are not configured to use anyone as proxy)
>
> I need to "redirect" all traffic, sent out via HTTP, through FW1 to a
> proxy server. I've seen that this is possible using the
> option HTTP Next
> Proxy. However, the following questions came to mind:
>
> 1) Is it possible to put this Proxy server in my DMZ?
> (traffic will have
> to go back through FW1 without creating a loop)
> 2) Is there any other way (other than HTTP Next Proxy) that
> might allow
> me to configure the proxy server in the individual rules without using
> CVP or UFP? I need to mantain a few other rules letting HTTP
> out without
> passing through the proxy.
>


Create under services a new service "

http_redirect, with protocol 6 -> then under [advanced]
you have to enter in the "match" field
SRV_REDIRECT(80,192.168.1.1,8080) which means redirect
from port 80 to host 192.168.1.1 port 8080 and no
protocol type.

Assuming the Proxy parameters are :

   IP   : 192.168.1.1
   Port : 8080

Using this setup I redirected web traffic to our Squid Cache 
(www.squid-cache.org)
on the DMZ for specific internal networks.

The redirection is applied for rules looking like  :

  Source           Destination  Service        Action
---------         -----------   -------       ---------
 Host/Network       Outside    http_redirect     accept


 Intercepting proxies may need extra config. setting to handle http
 requests from proxy unaware clients.

 M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Basic NAT question, Lyle Dove
Next by Date:  [FW-1] Office Mode IP assignment (ipassignment.conf), Gerson Levitz
Previous by Thread:  [FW-1] Using HTTP Proxies, Bernardo Santos Wernesback
Next by Thread:  [FW-1] Problems With Static NAT and ARP, Diego F. Lastra S.
Indexes:  [Date] [Thread] [Top] [All Lists]