Hi Bernardo, Thanks for your response - comments are in line.
Mailing list for discussion of Firewall-1 wrote on 01/06/2005 08:46:40: > Hi Andy, > There are several options for doing what you want. > 1) DNS > You could have the name site.com registered in your internal DNS > pointing to the ip of WS01. The DNS entry is actually hosted on external servers, and I don't want to fake the whole domain internally. �We are also looking for a solution that allows us to change things quickly, and the DNS propagation is an issue. > 2) NAT > You could point your internal users to an Internal address that is > being NATed by FW02 to WS01. Now that is a good idea! �A couple of static NAT's would be easy to manage. > 3) SRV_REDIRECT > define a new service HTTP_PROXY_REDIRECT type other, IP Protocol: 6, > advanced, �match: SRV_REDIRECT(80,<WS01 IP>,80) > - create a rule: internal clients to SITE.COM (IP address) service > HTTP_PROXY_REDIRECT accept Does this also work for https? �Assuming that it is IP protocol 6 and port 443 rather than 80? �If so, it is also an elegant solution which is immediately obvious when looking at the rulebase. > Hope this helps. It most certainly has! > See ya, > Bernardo. Many thanks, Andy. > On 5/30/05, Andy France wrote: > > Hi All, > > > > We are having a issue with a web application that uses (quick and nasty) > > Microsoft IP load balancing. �This is causing session state issues with > > users on DSL lines that have very short IP lease times, especially when > > moving between http and https pages. > > > > The app guys are looking into moving to a better load balanced solution, > > but in the meantime we are looking at a quick solution by dropping back to > > a single server... with a twist! > > > > The network layout is thus: > > > > � � � � � � � � � � � � � � � �WS01 > > � Internet ---- FW01 ---- (Virtual Site) ---- �FW02 ---- Internal > > � � � � � � � � � � � � � � � �WS02 > > > > And the IP addresses in the DMZ are: > > > > WS01 = x.x.x.141 > > WS02 = x.x.x.142 > > site.com = x.x.x.150 > > > > My question is if it is possible to set up seperate rules/services on FW01 > > and FW02 so that when an external user goes to http://site.com they get > > directed to WS02, but an internal user doing the same get directed to WS01. > > > > Both firewalls are FW-1 NG R55 AI on SecurePlatform. > > > > TIA, > > Andy. ##################################################################################### This email is intended for the person to whom it is addressed only. If you are not the intended recipient, do not read, copy or use the contents in any way. The opinions expressed may not necessarily reflect those of ZESPRI Group of Companies ('ZESPRI'). While every effort has been made to verify the information contained herein, ZESPRI does not make any representations as to the accuracy of the information or to the performance of any data, information or the products mentioned herein. ZESPRI will not accept liability for any losses, damage or consequence, however, resulting directly or indirectly from the use of this e-mail/attachments. ##################################################################################### ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
