Reg. PIX firewall/Proxy Server

0 pts.
Tags:
Availability
Bandwidth
Networking
Performance management
Platform Issues
Hi all, Recently we have delegates from china for business purpose and they want to access their Lotus Notes mails from our office. But they are not able to connect to their servers in US as its in LAN and we have PIX as well as Squid Proxy in our office setup. But if they connect thro' dialup it works fine. So can anyone suggest any idea for them by connecting to their servers without compromising our Security. Do we need to open any port in PIX or is there no way. Thanx Pls. Be fast. Dinesh
ASKED: February 7, 2006  9:11 AM
UPDATED: February 14, 2006  8:04 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I’m a little confused by your description but I’ll try. They have servers in the US they need to access. They can dial up to them, (Is this a direct connection to the network their servers are on?), but they can’t reach them from your internal net. Is the problem caused by their firewall?
If they are making a direct connection to a modem server then you need a different approach unless you can provide them with analog lines for dialup. I would hesitate to give them this kind of access if they are also on your internal network.
Do they have a VPN server like your PIX? The next two options depend on this.
How much do you trust them? If you trust them you could set up a VPN between your PIX and their VPN server and route their traffic through it.
I would lean more to setting up a separate subnet for them, (give this net free access to the internet but firewall it from the rest of your internal net), and let them VPN to their own network.
Can they reach notes using some kind of web server? If so, this would allow transparent access through your squid and PIX as well as their firewall.
Hope this helps.
rt

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    I'm a little confused by your description but I'll try. They have servers in the US they need to access. They can dial up to them, (Is this a direct connection to the network their servers are on?), but they can't reach them from your internal net. Is the problem caused by their firewall? If they are making a direct connection to a modem server then you need a different approach unless you can provide them with analog lines for dialup. I would hesitate to give them this kind of access if they are also on your internal network. Do they have a VPN server like your PIX? The next two options depend on this. How much do you trust them? If you trust them you could set up a VPN between your PIX and their VPN server and route their traffic through it. I would lean more to setting up a separate subnet for them, (give this net free access to the internet but firewall it from the rest of your internal net), and let them VPN to their own network. Can they reach notes using some kind of web server? If so, this would allow transparent access through your squid and PIX as well as their firewall. Hope this helps. rt
    15 pointsBadges:
    report
  • Hedgehog
    Hi Dinesh I would imagine those delegates use some kind of VPN client to log into their networks in the US. More than likely it'll be an IPSec client, so you'll need to open TCP and/or UDP/500 (ISAKMP) and perhaps TCP & UDP/4500 (IPsec NAT-Traversal) outbound in your firewall. I would restrict access to/from only certain IP addresses. Even better, as astronomer says, set up a separate subnet for those clients or force them to use a web-based portal into their network. Good luck & let us know if this works for you. Hedgehog.
    0 pointsBadges:
    report
  • Larrythethird
    I would agree that the problem is the port is blocked through your firewall or router. We eliminated the problem by setting up a wireless network that only visitors to our building use. On the same wireless system, we created other SSIDs for our employees. Most of the better enterprise wireless systems have captive portals for visitor authentication. We had left is wide open, but employees we bringing in palmtops and laptops and using the network for personal uses against company policies. As more and more work get outsourced and contracted out, we are having to use the second option of allowing non-employees on the corporate network, the number one security violation possible. To keep up our security we have created private VLANs and forced their MAC addresses into the VLAN and nowhere else. The routers are essentially off of our corporate network. The have limited access. Certain servers and web access. It is a lot of work and takes time to maintain.
    0 pointsBadges:
    report
  • Croque
    Depending in your firewall setup rules. They might not be able to connect to the Notes Server because of filtering. One option is to check the security rule in the Pix and make sure you allow port tcp 1352 outbound. Notes clients connect to the sever using this port. Hope this help... Croque
    0 pointsBadges:
    report
  • Dineshshinde
    Thank you all. Mostly we are trying to get direct internet (not from proxy) for them. But if that seems too expensive then we may think for other temporary options.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following