But yet, there is some "magic" presented... Some "yes, but this is 'Checkpoint'" and people foot the bill. I mean, I know checkpoint is a good product, but the last engagement I was at for a power company required the client to get an additional network card for some Nokia/checkpoint box and it cost them $25,000. Yes, Twenty-Five-Thousand dollars to add another network segment to the box. There was obviously some other mojo involved with some license to do something, but I've got to say-- sometimes I think some of these guys are going straight to hell for the earthly raping of their fellow man - or am I missing something? That goes beyond rape, actually... That's getting it right in the neck. Where is the justification? t On 8/24/06 5:30 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Not impossible at all. I've been heads down in the lic'ing fees > Netscreen, Blue Coat and Cisco charge, and all I can say is "one is born > every minute" to go with one of those solutions if the ISA firewall > provides the customer's required functionality, and at a fraction of the > price. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland >> Sent: Thursday, August 24, 2006 7:24 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: OT: Checkpoint HTTPS Termination >> >> jeepers! and i thought saving one of my clients 7.5k for 700 >> users with a >> customised ASP solution instead of GFI archiving was >> impressive, but 50k >> thats unpossible. >> >> Greg >> >> ----- Original Message ----- >> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> >> To: <isapros@xxxxxxxxxxxxx> >> Sent: Friday, August 25, 2006 10:17 AM >> Subject: [isapros] Re: OT: Checkpoint HTTPS Termination >> >> >>> Hey, it's only $50,000 for 500 users. How can you call >> that "gouging?" :\ >>> >>> ISA, here we come. >>> >>> t >>> >>> >>> On 8/24/06 4:45 PM, "Thomas W Shinder" >> <tshinder@xxxxxxxxxxx> spoketh to >>> all: >>> >>>> Tim, >>>> >>>> Reviewing my compete doc, you can have SSL termination and >> initiation if >>>> you introduce Connectra. CP is famous for gouging the poor >> sap customer >>>> is additional lic'ing fees for every basic application >> layer inspection. >>>> In order to get some Web proxy capabilities, you need to >> license their >>>> "Web Intelligence" product. >>>> >>>> If you find out more info on this, I'm all ears. >>>> >>>> Thomas W Shinder, M.D. >>>> Site: www.isaserver.org >>>> Blog: http://blogs.isaserver.org/shinder/ >>>> Book: http://tinyurl.com/3xqb7 >>>> MVP -- ISA Firewalls >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>> (Hammer of God) >>>>> Sent: Thursday, August 24, 2006 6:09 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] OT: Checkpoint HTTPS Termination >>>>> >>>>> >>>>> Pardon the OT, but I've got a customer using Checkpoint who >>>>> has retained me >>>>> to audit/oversee the deployment of a new application in the DMZ. >>>>> >>>>> Based on what I do all the time with ISA, the client and I >>>>> both assumed that >>>>> the Checkpoint box could do HTTPS termination in order to perform >>>>> protocol-level HTTP filtering. We also assumed that the >>>>> checkpoint box >>>>> could then forward HTTP to the DMZ for IDS/NetMon logging. >>>>> >>>>> It seems, however, that the Checkpoint firewall admin >> cannot confim >>>>> Checkpoint's capability to perform this function. Given all >>>>> the hubbub >>>>> about Checkpoint, its seems that it's odd that ISA can >>>>> perform a function so >>>>> well that Checkpoint does not even support. >>>>> >>>>> Can anyone out there confirm this? This could be a great >>>>> opportunity for me >>>>> to officially introduce ISA into the company (which I would >>>>> love) but I want >>>>> to make sure I'm doing the best job for the client before I >>>>> just spend the >>>>> money (or request that they spend the money) if this is >> something that >>>>> Checkpoint can do. >>>>> >>>>> The goal is to terminate HTTPS at the Checkpoint box, perform >>>>> app level >>>>> filtering (like ISA's HTTP filter), then forward the HTTP >> traffic to a >>>>> single segmented DMZ network so that the IDS/NetMon boxes >> can log the >>>>> traffic via the switch/Nokia monitor ports. >>>>> >>>>> Thanks. Oh, any specific references would be great so that I >>>>> can share them >>>>> with the client. >>>>> >>>>> t >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > >