I am running Proxy 2.0 for caching (one interface). Using pix 515 for nat. Have a static that maps the proxy address to the external address for internet. Some clients have programs that require ports other than 80, and indicate that their upload communication will pass through our proxy server. I tried setting up conduits on the pix, but could not get this to work. When I installed ms proxy client on these 98 workstations, however, they worked. Why?? Does this comprimise security? Any insight would be appreciated. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
What does proxy client do?
- Thread starter bobbys9
- Start date
rubbaninja
MIS
Do a trace router (tracert) from the command prompt to any external IP using a machine that does not have the proxy client installed.
My guess is your default gateway for unknown traffic on your network is your proxy server. This means that they have to have the proxy client installed when they are not a web proxy client. Basically using your proxy as default gateway for unknown traffic is making your network a nightmare to handle when it comes to using both proxy or isa to auth and cache.
To remedy this make the default gateway on your network your choke router (or pix if you don't have a choke router in front of your PIX).
Example for any non web browser connection:
192.168.0.1 - core router
192.168.0.2 - PIX
192.168.0.3 Proxy
on core - route 0.0.0.0 192.168.0.2
on PIX - acl inside to permit connection
on Proxy - no worries because it doesn't see the traffic
on Client - NO proxy client
If your using your proxy server as your workstation default gateway you will want to add static routes to them to route them to their destination through the PIX.
The proxy client allows users to use apps outside of the browser to connect to its destination.
Everything is a flow. If you use the proxy client you need to set acl's for it on the proxy server and also acl's on the PIX to mirror the proxy acls. If you have a proxy client using telnet to connect to an outside address your process goes like this:
Proxy client enabled on workstation
Rule on proxy server to allow 23
Rule on PIX to allow outbound on 23 from proxy server to destination.
So there are your 2 scenerios. What you need to figure out is the flow of your traffic.
I prefer using ISA in cache mode and sending unknown traffic to my choke. PIX acl's are so much easier to work with.
Hope I didn't confuse!
My guess is your default gateway for unknown traffic on your network is your proxy server. This means that they have to have the proxy client installed when they are not a web proxy client. Basically using your proxy as default gateway for unknown traffic is making your network a nightmare to handle when it comes to using both proxy or isa to auth and cache.
To remedy this make the default gateway on your network your choke router (or pix if you don't have a choke router in front of your PIX).
Example for any non web browser connection:
192.168.0.1 - core router
192.168.0.2 - PIX
192.168.0.3 Proxy
on core - route 0.0.0.0 192.168.0.2
on PIX - acl inside to permit connection
on Proxy - no worries because it doesn't see the traffic
on Client - NO proxy client
If your using your proxy server as your workstation default gateway you will want to add static routes to them to route them to their destination through the PIX.
The proxy client allows users to use apps outside of the browser to connect to its destination.
Everything is a flow. If you use the proxy client you need to set acl's for it on the proxy server and also acl's on the PIX to mirror the proxy acls. If you have a proxy client using telnet to connect to an outside address your process goes like this:
Proxy client enabled on workstation
Rule on proxy server to allow 23
Rule on PIX to allow outbound on 23 from proxy server to destination.
So there are your 2 scenerios. What you need to figure out is the flow of your traffic.
I prefer using ISA in cache mode and sending unknown traffic to my choke. PIX acl's are so much easier to work with.
Hope I didn't confuse!
- Status
Similar threads
- Locked
- Question
- Locked
- Question