I would almost guarantee that you need to pay CP more to do it. Im sure you can - but they charge like wounded bulls for extra functionality :) Greg ----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> To: <isapros@xxxxxxxxxxxxx> Sent: Friday, August 25, 2006 9:08 AM Subject: [isapros] OT: Checkpoint HTTPS Termination > > Pardon the OT, but I've got a customer using Checkpoint who has retained me > to audit/oversee the deployment of a new application in the DMZ. > > Based on what I do all the time with ISA, the client and I both assumed that > the Checkpoint box could do HTTPS termination in order to perform > protocol-level HTTP filtering. We also assumed that the checkpoint box > could then forward HTTP to the DMZ for IDS/NetMon logging. > > It seems, however, that the Checkpoint firewall admin cannot confim > Checkpoint's capability to perform this function. Given all the hubbub > about Checkpoint, its seems that it's odd that ISA can perform a function so > well that Checkpoint does not even support. > > Can anyone out there confirm this? This could be a great opportunity for me > to officially introduce ISA into the company (which I would love) but I want > to make sure I'm doing the best job for the client before I just spend the > money (or request that they spend the money) if this is something that > Checkpoint can do. > > The goal is to terminate HTTPS at the Checkpoint box, perform app level > filtering (like ISA's HTTP filter), then forward the HTTP traffic to a > single segmented DMZ network so that the IDS/NetMon boxes can log the > traffic via the switch/Nokia monitor ports. > > Thanks. Oh, any specific references would be great so that I can share them > with the client. > > t > > > >