Damon: I don't mean to start a flamewar here, but Connectra *IS* the Check Point answer to secure reverse proxy, and, yes, it *DOES* do what ISA does (and then some). AFAIK, it won't reverse proxy without prior authentication -- true, but, then again, if you want secure reverse proxy, why not have that extra level of security -- esp given that their SSO works better than many of the other comparable solutions out there (like Juniper / Neoteris -- I just ripped out a dozen Juniper boxes and replaced them with Connectra, and can't be happier!)... And Connectra hasn't had nearly as many CVEs issued against it as ISA.
I've also accomplished similar tasks using security servers -- albeit at significantly reduced performance. But an HTTP security server *is* a proxy, and should address the basic needs -- if configured right. They can be tempermental, but generally once up and running, they work. I've also addressed similar requirements (in non-Check Point shops) with an Apache reverse proxy server -- reduce the M$ footprint at the perimeter, and proxy only what you need. This has provided a *VERY* inexpensive, highly scalable reverse proxy architecture. That said, the (in)security footprint with Apache is almost as big as M$... On Thu, Jul 16, 2009 at 3:48 PM, Cassell, Damon Z. <[email protected]>wrote: > I know this is a Check Point list and I don't want to go too far off-topic > here, but I have to ask... > > If reverse proxy with SSL decryption is your requirement, is there a > specific reason you're not going to use Microsoft ISA/Forefront for this? > > It's designed specifically for all of these tasks, it's actually reasonably > affordable and it works well enough. > > This topic comes up periodically in Check Point discussions. They don't do > what ISA does. If you want an SSL VPN, they'll sell you a Connectra, but > that's not the same thing. > > Damon > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > [email protected]] On Behalf Of Scott Moore > Sent: Thursday, July 16, 2009 3:16 PM > To: [email protected] > Subject: [FW-1] Checkpoint and Reverse Proxies > > I'm looking for guidance on how a reverse proxy can best be implemented > through Checkpoint. > > I will be publishing the following things. > > 1. Exchange traffic > a. OWA > b. Autodiscover / RPC over HTTPS > c. ActiveSync > 2. OCS Reverse Proxy > > > Does anyone have experience doing this and any pointers? > > Thanks, > > Scott > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
