IMO for the time spent doing all that buy a copy of MS proxy and NTS, slap
it on a low end pentium (hell I had it on a 486/32MB for 200 users)
point your browsers to it and allow the proxy out via the firewall
-----Original Message-----
From: Chris Trudeau [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 15 June 2000 12:46 PM
To: Fadjar Tandabawana
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] Fw-1 with Squid
> I have FW-1 4.1 in NT and I want to make web proxy in Linux with Squid.
> Is anybody know about the setting?
> The Squid use Private IP in internal network and I want to make tranparent
> proxy.
> Any suggestion?
Yes, Since the security servers in Checkpoint will not be on (unless you
have them
turned on) you'll have a number of options:
Please join in if I am mistaken:
1) multi-home the linux machine INTERNAL to the firewall, route all
outbound
traffic to interface "A" of the linux machine. You'll need static routes on
the
linux machine and IP_Forwarding turned on. Set the Squid proxy to listen On
interface "A" and to forward packets bound for the Internet to the firewall.
2)Use a "layer-4" switch (never understood the theory behind calling these
switches
layer-4) to pull port 80 traffic (since nothing else can be proxied) off of
the wire
and send it to the linux/squid machine. This device will then send all
other
traffic directly to the firewall, at which point your traffic will be
subject to the
rules on the firewall.
3) Turn on (a rather ubiquitous protocol) ICP on the routers/switches local
to the
linux machine and firewall. I only know that this is possible, a bit buggy
and
definitely not the preferred method...
There are some drawbacks, as option 1 above will give you a single point of
failure
(sort of)...if the linux machine fails your port 80 traffic stops...(
proxy.pac
statements internal to your network can provide an element of fail-over).
Option 2 provides a single point of failure, bu hot stand-by solutions are
relatively easy to configure and have available.
Option 3 is a nightmare to set-up, or troubleshoot.
Take your pick...there are probably more///
Chris
--
Chris Trudeau
Partner-Managed Security Services
DigitalMoJo Inc.
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
***************************************************
This e-mail is not an official statement of the
Waikato Regional Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
