TheFireman2
IS-IT--Management
Hi everybody! Nice to find you all here!
So here is our issue. As we have a TMG 2010 in use as a proxy server, which is no loger supported, we wanted to replace it. So we have bought a Watchguard Firebox M200 in order ro do so.
Our current topology is the following. Our internal network (PCs and servers) connect to switches which all have a set gateway, which is a central switch. This central switch has a default route which points to an ASA 5515 with CX installed. The ASA routes all traffic to a cisco 2901 router which has multiple WANs. The TMG IP is set in the Internet options of all PCs and servers as a proxy (via GPO). In the network setting of the network adapters (in the TCP/IPv4 options) we have set as gateway the IP address of the central switch.
This is a simplified decription of the network, as there are other things in play, such a a DMZ on the ASA, a couple of site to site VPNs on the ASA and annyconect users connecting from outside. But let's leave these aside in order to make the scenario simpler.
What we had in mind was to go slow at first and only replace the TMG 2010 Proxy function for the internet access of our users with the Firebox M200. At the same time we want to continue using the ASA 5515 for all that we have setup on it (which is quite a few things, no point in going into these now). So we just want to get rid of the TMG 2010 at first. Maybe later we will completely replace the ASA with the Firebox, but this is just a future plan for now.
What we had in mind was that we would simply replace the IP address of the TMG with the IP address of the Firebox (the one set in the Internet options of all PCs and servers as a proxy via GPO) and that would do the trick.
It turns out that it isn't working this way, or at least we haven't managed to get this to work so. When we set the IP of the proxy as the Firebox IP, at first it was blocked by the Firebox as it was identified as traffic to the Firebox. After allowed this, it is still not working, as we get no relevant entries on the traffic monitor, but on the browser we get an error message "The proxy server isn’t responding".
If we set the Firebox IP as the gateway on a network adapter options in the TCP/IPv4 options of the PC, the internet access works just fine.
So we are now wondering. Is it possible to use the Firebox as a proxy like we used to do with the TMG (defined as a proxy in the internet options)?
If not what are the alternatives?
Please keep in mind that, at least for the servers, we need to keep the ASA in play, so we cannot change the default gateway (in the the TCP/IPv4 options of the network adapters on the servers), as they would not connect with the ASA anymore and nothing else would work.
Unless there is a way the pass all the traffic (except for the HTTP and HTTPS ports) through the Firebox and towards the ASA. The only thing that confuses us at the time is that both these are on the inside/trusted network and the Firebox seems to only let traffic come out from an external. Or have we got this wrong.
Many thanks in advance for any help you can give.