Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Novell Border Manager / Pix installation

We have a Pix 525 failover on our Internet gateway, and "management" wants to configure our existing Border Manager 3.7 servers to provide proxy, caching and content filtering with authentication behind the PIX.

The questions are

1. Where to install the BM servers, inside or DMZ.

2. Which device will provide NAT service.

3. What do I turn off on the PIX, NAT? Proxy?

New Member

Re: Novell Border Manager / Pix installation

Hi, we did something similar but BM was behind FW-1. I agree with your management that BM can provide proxy, caching, filtering & authentication VERY well. I would caution that the BM servers better have plenty of RAM and disk space. You should have a separate cache volume. DO NOT have your cache directory on SYS!

That aside... our BM was on the inside of the FW. Put two NIC's in the BM server, one for "private" and one for "public." The BM's "public" interface will be downstream from one of the PIX's "inside" interfaces. Have your client's browsers point to the BM's "private" IP address for proxy.

It doesn't matter which device provides NAT, Proxy, or protocol/packet filtering. Decide which is simplest, be consistent, and don't double-up. If the BM provides the above services, which I recommend, simply have PIX pass ALL traffic coming from the BM's public IP address to the outside interface.

Here's a security tip in regard to configuring BM's packet filtering. Most of the usual protocols (HTTP, HTTPS, SMTP, etc.) are configured by default but if have a unique one, you'll need to configure it manually. Define the packet (give it a name and port address) and include the packet in an outbound rule. Here's the tip.... Most admin's don't think to define the "return" so be sure to define a corresponding inbound rule and be sure to restrict the inbound port number to 1024-65535. This should prevent any hackers from "spoofing" ports.

CreatePlease to create content