On Fri, 29 Dec 2006, cisco4ng wrote:
A customer asked me this but I don't know the answer to this. Can someone
help?
hostA------------------------------------
|
Local LAN_X |-----CheckpointNGx----Internet
|
Microsoft Proxy Server hostB---|
HostA wants to browse the Internet via the browser. HostA default
gateway is the CheckpointNGx internal interface. CheckpointNGx is
doing either "hide" or static NAT for localLAN_X.
I would like to configure the Checkpoint firewall so that when
hostA initiates a connection via the browser to the Internet, it will
go to the CP firewall first. CP firewall will then re-direct
that connection to the Proxy Server hostB. I would like to be
able to do this without manually reconfiguring the "Internet
setting" on hostA browser. This is called transparent proxying.
In other words, hostA is being redirect to the proxy server hostB
without knowing anything about it. The Proxy Server hostB will
do the Web Proxy http/https connection for hostA.
Can it be done with Checkpoint? If so, how? Thanks. I can not
change the flow of the traffics or the design. this is what the
customer wants. My job is to implement it.
One of the tricks is one I would never use because it is not stable and
rather slow. Use a resource definition and configure the gateway to
redirect that sort of traffic. The customer will love you for about 5
minutes. The next hour they really start to hate you.
Frankly. Sometimes customers want something which is unpracticle, unsafe
or even plain stupid. I rather tell them so and tell them I will not
implement something which is broken by design. Of the few customers we
lost most were back on their knees within two years. Because someone else
implemented something completely unsound and they hit a brick wall.
Most customers have centralised policies on their network. With this it is
a breeze to add a proxy server. The most likely cause they will notice it
is beasuse I have some doubts about this customers choice for the proxy.
Hugo.
--
hvdkooij AT vanderkooij DOT org http://hvdkooij.xs4all.nl/
This message is using 100% recycled electrons.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
