topic Re: How to make PIX to redirect incoming http traffic to a proxy in Network Security

How to make PIX to redirect incoming http traffic to a proxy server?

lehpoh — Fri, 21 Feb 2020 06:57:21 GMT

How to configure PIX such that it redirect incoming http traffic to a internal proxy server?

Thanks.

Re: How to make PIX to redirect incoming http traffic to a proxy

jmia — Wed, 27 Aug 2003 16:56:53 GMT

Hi -

Q. Are you filtering ALL internet browsing via the proxy server, Is the proxy server a MS ISA?

Can you please post your PIX config here or if you like to me at noc1@vodafone.net (Please change passwords + inside IP's)

Also, which PIX IOS are you running.

Thanks - Jay

Re: How to make PIX to redirect incoming http traffic to a proxy

bdube — Wed, 27 Aug 2003 19:19:39 GMT

Since you are asking the question, i suppose your proxy isn't MS-ISA which the redirection is done on each station.

What you call, incoming HTTP traffic is, in term of PIX, outgoing HTTP connection. PIX supports Websense & Bess's N2H2 filter products, in those case redirection is done with url-server + filter url commands.

The question, is those commands are compatible with other proxy boxes ? I don't know. Hope someone else will respond to this one.

Otherwise, you will be obliged to redirect traffic with a layer 7 switch.

Regards,

Ben

Re: How to make PIX to redirect incoming http traffic to a proxy

ovt — Thu, 28 Aug 2003 14:50:33 GMT

This is not possible.

Also, "filter url" doesn't do HTTP redirection, it sends an URL to the URL-filtering server (Websense/N2H2). The original HTTP request is sent to the Internet in parallel to this filtering request.

Oleg Tipisov,

REDCENTER,

Moscow

Re: How to make PIX to redirect incoming http traffic to a proxy

plemieux72 — Fri, 29 Aug 2003 08:49:43 GMT

In this month's Windows & .NET magazine, there was an MS publication called something like "Security Advertising/Special Report". Unfortunately, I did not keep it. However, there was a few design examples where you would only have one host in the DMZ which would be a MS ISA 2000 proxy server. It did not specify that the firewalls were Cisco (or any other).

If I remember correctly, ALL traffic was directed to the proxy server for layer 7 filtering. In turn, the packets were sent to the appropriate HTTP server which resided in the inside subnet. This way, it was easy for the internal HTTP servers to access other internal RDBMS servers since all were together. I think an IPSec tunnel was also an option to secure traffic from the DMZ proxy server to any server inside.

The benefits of this were that you only have one bastion host to configure and the solution took care of filtering all the way up to the application layer.

This may be what the initial question was???

Regardless, did any of you keep this special report? What do you think about this design?