How to make PIX to redirect incoming http traffic to a proxy server?

Unanswered Question
Aug 27th, 2003
User Badges:

How to configure PIX such that it redirect incoming http traffic to a internal proxy server?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bdube Wed, 08/27/2003 - 12:19
User Badges:

Since you are asking the question, i suppose your proxy isn't MS-ISA which the redirection is done on each station.

What you call, incoming HTTP traffic is, in term of PIX, outgoing HTTP connection. PIX supports Websense & Bess's N2H2 filter products, in those case redirection is done with url-server + filter url commands.

The question, is those commands are compatible with other proxy boxes ? I don't know. Hope someone else will respond to this one.

Otherwise, you will be obliged to redirect traffic with a layer 7 switch.



plemieux72 Fri, 08/29/2003 - 01:49
User Badges:

In this month's Windows & .NET magazine, there was an MS publication called something like "Security Advertising/Special Report". Unfortunately, I did not keep it. However, there was a few design examples where you would only have one host in the DMZ which would be a MS ISA 2000 proxy server. It did not specify that the firewalls were Cisco (or any other).

If I remember correctly, ALL traffic was directed to the proxy server for layer 7 filtering. In turn, the packets were sent to the appropriate HTTP server which resided in the inside subnet. This way, it was easy for the internal HTTP servers to access other internal RDBMS servers since all were together. I think an IPSec tunnel was also an option to secure traffic from the DMZ proxy server to any server inside.

The benefits of this were that you only have one bastion host to configure and the solution took care of filtering all the way up to the application layer.

This may be what the initial question was???

Regardless, did any of you keep this special report? What do you think about this design?


This Discussion