Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to make PIX to redirect incoming http traffic to a proxy server?

How to configure PIX such that it redirect incoming http traffic to a internal proxy server?

Thanks.

4 REPLIES
Gold

Re: How to make PIX to redirect incoming http traffic to a proxy

Hi -

Q. Are you filtering ALL internet browsing via the proxy server, Is the proxy server a MS ISA?

Can you please post your PIX config here or if you like to me at noc1@vodafone.net (Please change passwords + inside IP's)

Also, which PIX IOS are you running.

Thanks - Jay

Community Member

Re: How to make PIX to redirect incoming http traffic to a proxy

Since you are asking the question, i suppose your proxy isn't MS-ISA which the redirection is done on each station.

What you call, incoming HTTP traffic is, in term of PIX, outgoing HTTP connection. PIX supports Websense & Bess's N2H2 filter products, in those case redirection is done with url-server + filter url commands.

The question, is those commands are compatible with other proxy boxes ? I don't know. Hope someone else will respond to this one.

Otherwise, you will be obliged to redirect traffic with a layer 7 switch.

Regards,

Ben

ovt Bronze
Bronze

Re: How to make PIX to redirect incoming http traffic to a proxy

This is not possible.

Also, "filter url" doesn't do HTTP redirection, it sends an URL to the URL-filtering server (Websense/N2H2). The original HTTP request is sent to the Internet in parallel to this filtering request.

Oleg Tipisov,

REDCENTER,

Moscow

Community Member

Re: How to make PIX to redirect incoming http traffic to a proxy

In this month's Windows & .NET magazine, there was an MS publication called something like "Security Advertising/Special Report". Unfortunately, I did not keep it. However, there was a few design examples where you would only have one host in the DMZ which would be a MS ISA 2000 proxy server. It did not specify that the firewalls were Cisco (or any other).

If I remember correctly, ALL traffic was directed to the proxy server for layer 7 filtering. In turn, the packets were sent to the appropriate HTTP server which resided in the inside subnet. This way, it was easy for the internal HTTP servers to access other internal RDBMS servers since all were together. I think an IPSec tunnel was also an option to secure traffic from the DMZ proxy server to any server inside.

The benefits of this were that you only have one bastion host to configure and the solution took care of filtering all the way up to the application layer.

This may be what the initial question was???

Regardless, did any of you keep this special report? What do you think about this design?

151
Views
0
Helpful
4
Replies
CreatePlease to create content