[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: what http/https/ftp/smts proxy/relay to use on a network firewall

On 2007-03-21 tom winter wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> On 2007-03-20 tom winter wrote:
>> What exactly is a "layer 3 proxy for server publications" supposed to
>> be?
> MS termiminology.. servers that have to remain inside the lan are
> 'published'. E.g. the intranet web server has to have AD and database
> connections, so it can't be moved to a dmz easily.

Ah, I see, you mean connections from hosts in the DMZ into the LAN?
You'll need to manually allow the ports required for the services you
want to be 'published'. Personally I'd prefer to avoid something like
that, though, and rather replicate the data or move the servers to a DMZ
of their own, that can be accessed from both the "public" DMZ and the

>>> http proxy should be able to:
>>> termination https connections (use http to internal servers)
>> Why would you want to break https?
> Because of the necessary address translations. The connection to that 
> web server is secure (separate switch, switch and cables not reachable 
> for anyone but IT).
> eg. internal link file://server/share -> erxternal ftp://server/dir
> I know, this could be done by script, but i have little influence on our 
> web programmer.
>>> handle (s)ftp (maybe a separate component)
>> Why would you want to break ssh?
> the original ftp server no capabilities ssl at all. i hope to add that 
> on the gateway.

Yeah, misunderstanding on my part. AFAICS reverse proxying of both HTTP
and FTP connections should be doable with Apache's mod_proxy [1].
Haven't done this myself before, though, so take it with a grain of

[1] http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Reply to: