Use FW-1 as HTTPS -> HTTP reverse proxy?

[RayPesek]

I need a reverse proxy to take HTTPS traffic from the Internet and send it as HTTP to an internal web server. While I can install an Apache reverse proxy box in a DMZ, it seems like waste of hardware if I can do it on the firewall. I've found articles on using SSL for UserAuth (How to configure User Authentication with SSL - sk13374) and I've found articles on using FW-1 as an HTTP -> HTTP reverse proxy (Can FireWall-1 Act as a Reverse HTTP Proxy? - sk15012), but they're old articles and not exactly what I need to do.

I can't have any authentication from the firewall getting in the way. The reason we want HTTPS -> HTTP is so Web Intelligence can inspect the traffic. The destination is a "hardened secure email appliance" with its own authentication system. It doesn't warrant a $30,000 web application firewall of its own. There would be less than 1,000 legitimate users a day. It's the illegitimate ones I'm worried about. :-)

This will be on R65 HFA02 on SecurePlatform and the hardware has lots of spare horsepower. We would use an IP address that is different from the firewall external interface.

Thanks for any suggestions you can lend,

Ray

[Thorpuse]

I don't think FW-1 will be able to manage this. Honestly, you'd be better off building a DMZ VLAN with the Apache Server as the reverse proxy, terminate the HTTPS on the Apache and route the http stream back through the FW.

Even if you could make this work, I don't think I'd trust using Check Point in that way. All that reverse proxy stuff was coded back in the 4.0 days, and I doubt the code has been touched in any significant way since then. It wasn't great then either....

[RayPesek]

Thanks for the note. I was thinking that as well. It's good to have someone else it was a bad idea. :-)

Take care,

Ray