Firewall Wizards mailing list archives
Gauntlet transparency issue
From: Greg Austin <gaustin () rkon com>
Date: Fri, 10 Mar 2000 14:21:36 -0600
Hello, I'm having problems with the HTTP proxy not operating transparently with gauntlet 5.5 for NT. I'm converting a big software company's existing BSDI Gauntlet 4.2 installation to a fault-tolerant GVPN 5.5 installation (no load balancing, just a backup fw waiting in the wings). The BSDI installation works fine for them now (although there are some pretty questionable packet screening rules that need to be killed or tightened), they're changing to NT for internal reasons (fear of UNIX, urge to standardize, etc.). The company has remote offices all over the world, and a mixture of routable and non-routable addresses (they have 20 or 30 whole class C's to themselves). Also, they're not doing any NAT as yet. Anyway, here's the problem: HTTP traffic coming from any network other than the network the fw's inside interface lives in doesn't get proxied out, regardless of whether the client generating it has a real IP or a 10.10. If I configure the remote client's browser to "use proxy" and fill in the fw's inside interface's address as the proxy address, then HTTP works fine. If I rely on transparency, the traffic is dropped without even a mention in Gauntlet's log file. Again, this problem only occurs for traffic routed in from other internal networks. Much like the BSDI box, the NT box only knows the external networks through a whole bunch of static routes. I had to add one static route (pointing to the router local to the inside interface) for each of the remote networks. In their existing configuration they're not using the use proxy setting on client browsers, they're just letting the fw transparently proxy this stuff. Needless to say, they'd be pretty unimpressed if they had to touch many hundreds of workstations (in fifteen+ countries) because of a firewall upgrade. To make sure there wasn't some background configuration issue, I set up an extremely simple home test network last night. I built a plain vanilla gauntlet installation whose inside interface I connected to a cisco 3K I own. On another interface on the router I connected a test workstation. I configured all the IP's to match my problem situation, so that my test machine was mimicking a machine coming in across a frame link from Denmark. I configured the router as simply as possible (default route to the inside interface of the firewall) and the fw similarly (default gateway outside interface, static route to my bogus Denmark network naming the local router as the route). Again, HTTP won't work transparently, but works correctly if I set the client's browser to proxy off the fw. I'm not a moron, I've covered all the obvious ground here. I do full time security/VPN/firewall consulting work for a consulting company in Chicago. I have a pretty strong background in routing (particularly on Cisco equipment), and I've been working with many of the popular fw packages for a while. I've done PIX, FW-1, and Gauntlet on several platforms. Anybody got any ideas? If the NT version of this product can't do this right I can't imagine my company (NAI partner, Checkpoint partner as well) will be installing it anymore. Thanks in advance for any light anyone may be able to shed, Gregory Austin Senior Systems Engineer RKON Technologies gaustin @rkon.com P.S. I'm hopping a plane for the islands tomorrow (3/11) and will be gone for a week, so if anyone replies to this or e-mails me about this (please do!) you probably won't hear back from me for a week or so. Thanks again.
Current thread:
- Gauntlet transparency issue Greg Austin (Mar 13)
- <Possible follow-ups>
- RE: Gauntlet transparency issue Starkey, Kyle (Mar 21)