Thanks Tom... Good info. I very much appreciate it. Given the introduction of additional fee's we may have a case for ISA. We'll see. Thanks again. t On 8/24/06 4:45 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Tim, > > Reviewing my compete doc, you can have SSL termination and initiation if > you introduce Connectra. CP is famous for gouging the poor sap customer > is additional lic'ing fees for every basic application layer inspection. > In order to get some Web proxy capabilities, you need to license their > "Web Intelligence" product. > > If you find out more info on this, I'm all ears. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >> (Hammer of God) >> Sent: Thursday, August 24, 2006 6:09 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] OT: Checkpoint HTTPS Termination >> >> >> Pardon the OT, but I've got a customer using Checkpoint who >> has retained me >> to audit/oversee the deployment of a new application in the DMZ. >> >> Based on what I do all the time with ISA, the client and I >> both assumed that >> the Checkpoint box could do HTTPS termination in order to perform >> protocol-level HTTP filtering. We also assumed that the >> checkpoint box >> could then forward HTTP to the DMZ for IDS/NetMon logging. >> >> It seems, however, that the Checkpoint firewall admin cannot confim >> Checkpoint's capability to perform this function. Given all >> the hubbub >> about Checkpoint, its seems that it's odd that ISA can >> perform a function so >> well that Checkpoint does not even support. >> >> Can anyone out there confirm this? This could be a great >> opportunity for me >> to officially introduce ISA into the company (which I would >> love) but I want >> to make sure I'm doing the best job for the client before I >> just spend the >> money (or request that they spend the money) if this is something that >> Checkpoint can do. >> >> The goal is to terminate HTTPS at the Checkpoint box, perform >> app level >> filtering (like ISA's HTTP filter), then forward the HTTP traffic to a >> single segmented DMZ network so that the IDS/NetMon boxes can log the >> traffic via the switch/Nokia monitor ports. >> >> Thanks. Oh, any specific references would be great so that I >> can share them >> with the client. >> >> t >> >> >> >> >> > > >