HTTP Traffic over proxy in DMZ

[djsven]

HI,
can someone tell me how i have to configure my checkpoin NG55
so that all http traffic transfer trough a proxy which placed in my DMZ?
It´s normal proxy like ip:8080.
Where can i configure this option?
Big thanks!
Bye

[Danielpb]

What proxy server are you using on the DMZ?

[djsven]

We are using TrendMicro IWSS Proxy.

[Danielpb]

I can point you in the right direction but I’m not 100% sure its available for that Trend Micro product.

Open the SmartDash on the left hand panel select the 4th tab in 'Servers and OPSEC applications'

You then right click the OPSEC application Section and select
'New OPSEC application'

You can configure you UFP server from this point.

Then you will need to configure a Http recourse Tab 3 'Recourses'
under the URI section.

Once this has been complete you should create new Http-8080 Tcp service and in the advanced configuration you can select 'Enable for TCP Recourse'.

The on the services selection on the rule you right click and select 'Add with recourse' and located the new Http resource you created above.

hope this helps in some way.

[djsven]

Big THanks for your post!
I will try it

[djsven]

Ok.
again.
All Lan Traffic for port 80 sorry http traffic goes to checkpoint, and checkpoint forwared to proxy server?
Is this right?

[Danielpb]

Your best to create a new http (80) services called something like Http-mapped or something like that. This can then be used on you dedicated web allowed out rule and all web traffic hitting that rule will then be forwarded to the Proxy.

[larstr]

Quote:

Originally Posted by djsven

Ok.
again.
All Lan Traffic for port 80 sorry http traffic goes to checkpoint, and checkpoint forwared to proxy server?
Is this right?

Yes, If you do as descrived above, all the port 80 traffic matching this rule will go through the proxy server. There are however a few limitations by doing it this way, and I would seriously consider doing it in a traditional way, making the clients aware of the proxy server by an autoconfig script or group policy.

Lars

[mcnallym]

I really wouldn't advise using the HTTP Security Server to do this as is a real pain. I would just use as a traditional proxy to the DMZ based box and just not allow http/https etc from the the internal networks. This forces the users to go through the proxy to get out.

Presuming you have a Microsoft Windows Network then you can use Group Policy settings to force the clients to use the Proxy Server and not allow them to change the IE settings themselves.