Although the Gauntlet Firewall provides a wide variety of proxy services, there are a number of common elements to configuring these services.
This chapter explains the concepts of proxy services and provides general information on how to configure proxy services. The chapter consists of the following sections:
The proxy services on the Gauntlet Firewall are application-level proxies. The services are called proxies because they relay (or proxy) information from one side of the firewall to the other. This prevents a program on one side of the firewall from talking directly to a system on the other side of the firewall.
They are considered application-level proxies because each proxy handles a different protocol, and thus, a different type of application. For example, the FTP proxy service understands the FTP protocol and handles requests for passing FTP traffic through the firewall. Several of the proxies understand more than one protocol, and can communicate with several different applications. For example, the multimedia proxy understands the protocols used by NetShow, RealAudio, RealVideo, and VDOLive.
The firewall also includes a generic proxy service, called the plug proxy. This proxy service understands the TCP protocol and can work with a variety of different applications.
The descriptions of each proxy service, found in the remaining chapters of this book, provide more information on how the proxy services work.
You can configure a variety of parameters for each proxy service. For each proxy, you can enable and disable the proxy service. This allows you to indicate whether or not the proxy should offer a particular service.
Other configurable parameters vary for each proxy service. For some proxies you can set the number of processes the proxy can start (the child limit) while for others you cannot set that number. Refer to the online help for explanations of the parameters. If you are in doubt about changing a parameter, use the default value shown in the Gauntlet Firewall Manager.
The main configuration window for each proxy service in the Gauntlet Firewall Manager shows the parameters that apply to all instances of that proxy.
You may need to have multiple configurations for a proxy service. For example, assume that company security policy requires you to limit the destinations that the hosts on the sales networks can visit on the World Wide Web. You could modify the default configuration in the HTTP proxy to restrict access to these destinations. This, however, affects every host on your trusted network, not just the hosts on the sales network. Instead, you want to have two different configurations; the default configuration and a configuration that is more restrictive than the default.
The firewall allows you to create multiple configuration sets for some proxies. Configuration sets allow you to have multiple configurations for the same proxy. You can then add the configuration sets to different service groups, and create different service group rules to use these service groups.
In our example above, you would leave the default configuration (http-gw) for the HTTP proxy in the trusted service group. You would then create a separate configuration set (http-gw-restrictive) for the HTTP proxy that restricts the destinations that the HTTP proxy can visit. You would create another service group that includes this configuration set. You would then create a rule that forces the hosts on the sales network to use the service group that contains the restrictive configuration set.
In fact, it is configuration sets that allow you to create custom proxy services (plugs) and custom proxy services with authentication (circuit). For the plug proxy, you can create one configuration set that runs on port 17 and listens for Quote-of-the-Day requests and another that listens on port 3572 for requests from internal accounting software.
The following proxies support creating multiple configuration sets:
circuit
Gopher
FTP
HTTP
Lp
plug
rlogin
SQL Server
StreamWorks
Sybase
TELNET
Adding configuration sets involves planning, then creating the configuration sets. Both activities are discussed in this section.
When planning configuration sets:
Determine whether you need to create a new configuration set or whether you can simply modify the default configuration set.
Determine which service groups will use this configuration set.
When you create a configuration set, the firewall uses the information specified in the default configuration set as a template.
To create a configuration set:
From within the Gauntlet Firewall Manager, select Services.
Click the tab for one of the services that supports configuration sets.
In the main configuration window for the proxy service, provide information that applies to all configuration sets for that proxy.
Click Add.
The Add Services window for the selected proxy displays.
Provide information about the configuration set.
You must provide the following information.
Name
Name of the configuration set. The firewall uses this value in a variety of places, including the list of available services for a service group. Use a descriptive name, preferably one that includes the name of the service. This name must be unique among all configuration sets on this firewall.
Description
Description for the configuration set. This description helps you track various configuration sets.
Configure other settings for the configuration set, such as messages and restrictions. Refer to the online help for descriptions of the options available for each proxy service.
Click OK.
Be sure to add your configuration set to one of the service groups. If you do not add the configuration set to a service group, the firewall does not use that set.
 | Note: You cannot change the name of a configuration set. Instead, create a new configuration set that has the name and properties you want, and delete the old configuration set. |
To modify a configuration set:
Select the configuration set you wish to modify.
Click Modify.
The Modify Services window for the selected proxy displays.
Change the settings for this configuration set.
Click OK.