Not impossible at all. I've been heads down in the lic'ing fees
Netscreen, Blue Coat and Cisco charge, and all I can say is "one is born
every minute" to go with one of those solutions if the ISA firewall
provides the customer's required functionality, and at a fraction of the
price.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
Sent: Thursday, August 24, 2006 7:24 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: OT: Checkpoint HTTPS Termination
jeepers! and i thought saving one of my clients 7.5k for 700
users with a
customised ASP solution instead of GFI archiving was
impressive, but 50k
thats unpossible.
Greg
----- Original Message -----
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Friday, August 25, 2006 10:17 AM
Subject: [isapros] Re: OT: Checkpoint HTTPS Termination
Hey, it's only $50,000 for 500 users. How can you call
that "gouging?" :\
ISA, here we come.
t
On 8/24/06 4:45 PM, "Thomas W Shinder"
<tshinder@xxxxxxxxxxx> spoketh to
all:
Tim,
Reviewing my compete doc, you can have SSL termination and
initiation if
you introduce Connectra. CP is famous for gouging the poor
sap customer
is additional lic'ing fees for every basic application
layer inspection.
In order to get some Web proxy capabilities, you need to
license their
"Web Intelligence" product.
If you find out more info on this, I'm all ears.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
(Hammer of God)
Sent: Thursday, August 24, 2006 6:09 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] OT: Checkpoint HTTPS Termination
Pardon the OT, but I've got a customer using Checkpoint who
has retained me
to audit/oversee the deployment of a new application in the DMZ.
Based on what I do all the time with ISA, the client and I
both assumed that
the Checkpoint box could do HTTPS termination in order to perform
protocol-level HTTP filtering. We also assumed that the
checkpoint box
could then forward HTTP to the DMZ for IDS/NetMon logging.
It seems, however, that the Checkpoint firewall admin
cannot confim
Checkpoint's capability to perform this function. Given all
the hubbub
about Checkpoint, its seems that it's odd that ISA can
perform a function so
well that Checkpoint does not even support.
Can anyone out there confirm this? This could be a great
opportunity for me
to officially introduce ISA into the company (which I would
love) but I want
to make sure I'm doing the best job for the client before I
just spend the
money (or request that they spend the money) if this is
something that
Checkpoint can do.
The goal is to terminate HTTPS at the Checkpoint box, perform
app level
filtering (like ISA's HTTP filter), then forward the HTTP
traffic to a
single segmented DMZ network so that the IDS/NetMon boxes
can log the
traffic via the switch/Nokia monitor ports.
Thanks. Oh, any specific references would be great so that I
can share them
with the client.
t
