---

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #JGM-828686]: LDM lack of proxy compatibility

---

• Subject: [LDM #JGM-828686]: LDM lack of proxy compatibility
• Date: Thu, 03 May 2007 13:04:59 -0600

---

Josh,

> All of our stations access the Internet via Sidewinder G2 firewalls from
> Secure Computing.  We put Radware load balancers in front of these.  Our
> preferred mode of operation is to rely on proxies within the G2 that
> strictly replicate the protocols of the apparent end-to-end connections.
> So, for example, an http request from within the company is actually
> terminated at the firewall.  The firewall then initiates its own TCP
> connection to the user's intended destination, thereby serving as a proxy
> for the user's machine.

If the LDM connections are being initiated from within your network,
then there should be a simple solution.  An LDM initiates a connection
means when it create a TCP connection to another LDM.  Data
subsequently flows from the other LDM to the LDM that initiated the
connection.  If data is flowing into your network, then your LDM are
initiating the connection.  In this case, the intercepting proxy
server on the gateway need need only use the transparent proxy
module (assuming it has one) to forward the TCP packets to their
destination after replacing the source IP address with its own.
It shouldn't make any difference if it replaces the source IP
address of incoming packets on a connection before forwarding them
to the LDM that initiated the connection.

Does the Sidewinder G2 have a transparent proxy capability?

If, on the other hand, the LDM connections are being initiated
from outside your network (so that data flows from within
your network to without) then it is unlikely that your system
can be configured so that your LDM-s will work with the firewall.

> In order to make this work, the firewall must have
> a proxy (i.e., a protocol implementation) for the protocol in use), and the
> destination must be tolerant of getting a request from an IP address that is
> not the actual IP address of the source.  It must also be tolerant of
> getting a subsequent request from the same actual source but this time
> coming from a different IP address, because of the load balancing, i.e., a
> different firewall may be involved the next time.

> We'll take a look at the spec for ONC RPC, and I'm checking into whether
> Secure has a proxy for this in their firewalls.  Meanwhile, can you tell me
> if you think LDM would work this way?

Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: JGM-828686
Department: Support LDM
Priority: Normal
Status: On Hold

---

• Prev by Date: [LDM #JGM-828686]: LDM lack of proxy compatibility
• Next by Date: [Support #RZI-325369]: Re: New LDM server for EMWIN-only feed
• Previous by thread: [LDM #JGM-828686]: LDM lack of proxy compatibility
• Next by thread: [LDM #YZT-839453]: Problem installing ldm software
• Index(es):
  • Date
  • Thread