Gauntlet transparency issue

[Greg Austin <gaustin () rkon com>]

Hello,

     I'm having problems with the HTTP proxy not operating transparently
with gauntlet 5.5 for NT.  I'm converting a big software company's existing
BSDI Gauntlet 4.2 installation to a fault-tolerant GVPN 5.5 installation
(no load balancing, just a backup fw waiting in the wings).  The BSDI
installation works fine for them now (although there are some pretty
questionable packet screening rules that need to be killed or tightened),
they're changing to NT for internal reasons (fear of UNIX, urge to
standardize, etc.).  The company has remote offices all over the world, and
a mixture of routable and non-routable addresses (they have 20 or 30 whole
class C's to themselves).  Also, they're not doing any NAT as yet.  Anyway,
here's the problem:

        HTTP traffic coming from any network other than the network the fw's
inside interface lives in doesn't get proxied out, regardless of whether
the client generating it has a real IP or a 10.10.  If I configure the
remote client's browser to "use proxy" and fill in the fw's inside
interface's address as the proxy address, then HTTP works fine.  If I rely
on transparency, the traffic is dropped without even a mention in
Gauntlet's log file.  Again, this problem only occurs for traffic routed in
from other internal networks.

        Much like the BSDI box, the NT box only knows the external networks
through a whole bunch of static routes.  I had to add one static route
(pointing to the router local to the inside interface) for each of the
remote networks.  In their existing configuration they're not using the use
proxy setting on client browsers, they're just letting the fw transparently
proxy this stuff.  Needless to say, they'd be pretty unimpressed if they
had to touch many hundreds of workstations (in fifteen+ countries) because
of a firewall upgrade.

        To make sure there wasn't some background configuration issue, I set up an
extremely simple home test network last night.  I built a plain vanilla
gauntlet installation whose inside interface I connected to a cisco 3K I
own.  On another interface on the router I connected a test workstation.  I
configured all the IP's to match my problem situation, so that my test
machine was mimicking a machine coming in across a frame link from Denmark.
 I configured the router as simply as possible (default route to the inside
interface of the firewall) and the fw similarly (default gateway outside
interface, static route to my bogus Denmark network naming the local router
as the route).  Again, HTTP won't work transparently, but works correctly
if I set the client's browser to proxy off the fw.
        
        I'm not a moron, I've covered all the obvious ground here.  I do full time
security/VPN/firewall consulting work for a consulting company in Chicago.
I have a pretty strong background in routing (particularly on Cisco
equipment), and I've been working with many of the popular fw packages for
a while.  I've done PIX, FW-1, and Gauntlet on several platforms.  Anybody
got any ideas?  If the NT version of this product can't do this right I
can't imagine my company (NAI partner, Checkpoint partner as well) will be
installing it anymore.

        Thanks in advance for any light anyone may be able to shed,

Gregory Austin

Senior Systems Engineer
RKON Technologies
gaustin @rkon.com 

P.S.  I'm hopping a plane for the islands tomorrow (3/11) and will be gone
for a week, so if anyone replies to this or e-mails me about this (please
do!) you probably won't hear back from me for a week or so.  Thanks again.