Marius Etsebeth wrote:
>
> Hi people,
>
> I have configured a single Squid box to authenticate roughly 6500 users
> inside a Gauntlet firewall and it works like a charm.
>
> We are however migrating to a new Checkpoint FW-1. The consultant of the
> co. installing the Checkpoint told me that I cannot use the cache peer
> setting bellow, as it causes problems with the Checkpoint FW. (Strange,
> as Gauntlet is quite happy with it.)
>
> (Note: IP address changed to protect the innocent :)
>
> cache_peer 10.0.8.2 parent 80 0 no-query default
>
> Is this true? Will I be able to use a single cache inside the Checkpoint
> firewall or would I need a second (parent) server outside the firewall?
>
> And why can't I use this rule?
>
> Any / all help is appreciated (once again).
>
> Marius Etsebeth
It all depends on :
- the securtiy policy installed on the Checkpoint
- the intended network design for http web access.
Basically any scheme can or should work. There are
certainly no fundamental limitations at the checkpoint side
for this.
Of couse at any one time, in the web-access-path, some parent
will need internet access (port 80 (e.g.)).
If the squid closest to the clients, is strong dependent
on the parent, meaning that it has no internet access by it'self
then :
never_direct allow all
may be needed in it's squid.conf.
In our case squid is configured on a linux box on the dmz, and is
allowed
by the checkpoint to access the internet for the web and related
port(s),I am not using 'parent schemes'.
M.
-- 'Time is a consequence of Matter thus General Relativity is a direct consequence of QM (M.E. Mar 2002)Received on Tue Jul 30 2002 - 06:36:47 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:24 MST