From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_0263_01C532F4.1236FDD0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   The proxy server is what enforces the rules on what can or can not be =
accessed.  How you do this depends on the proxy server used.  Whatever =
component knows about internal IP addresses would know about users =
instead.

   Using static IP for the proxy is more like the reverse of the pcaw =
issue.  For pcaw you want to be able to access this machine from your =
client system.  For the proxy, it doesn't want to access the internal =
machines.  They access it.  It would use this information to apply its =
machine access rules.

   I don't know pix other than that it is a firewall.  Does it provide a =
proxy too?

Rich

  "Ellen K." 
wrote in message =
news:cdme41h26mnfona6m5sttd6huae03q9mvr{at}4ax.com...
  Where does the authentication happen then?   Does the firewall have to
  know who all the users are?    Do you feel up to explaining in simple
  terms what a proxy server is?

  Re the pcAW, it sounds similar to what you are saying about the other
  question, i.e. if the firewall knows the machines by name, it doesn't
  have to know their internal IP address.   Is that correct?   This
  similarilty leads me to question whether maybe our firewall -- or the
  person in charge of it -- only knows how to deal with IP addresses.  =
It
  is a Pix firewall.

  On Sun, 27 Mar 2005 17:01:53 -0800, "Rich"  wrote in message
  :

  >   I agree with the proxy though not the fixed address.  Use proxy =
authentication so that the rules apply to users and not the computers.
  >
  >   You shouldn't need a fixed internal IP for pcAW unless this is a =
pcAW restriction.  As long as you have dynamic DNS or similar internal =
name resolution you should be able to use a dynamic address.  Just refer =
to the machine by name instead of IP.
  >
  >Rich
  >
  >  "Ellen K."
 wrote in =
message news:frie411ubovd2ghdv5f67hdqd2rdcd22vq{at}4ax.com...
  >  Not my area of responsibility but I always like to help if I can:
  >  We want to restrict the rank-and-file users to a few allowed sites =
like
  >  FedEx and UPS.  In our morning briefing the other day it was stated =
that
  >  everyone would have to have fixed IP addresses to do this (that =
part I
  >  understand, since the restrictions are not to apply to everyone) =
and we
  >  would have to have a proxy server.
  >
  >  I actually don't know what a proxy server even is, but the IT =
director
  >  said it's complicated.   So first of all, is it true that we would =
need
  >  a proxy server?   And secondly, if so, is it complicated?
  >
  >  Alternatively, is there any other way to do it?  We want to leave =
people
  >  like directors and IT with full internet access.   Most boxes have =
no
  >  external IP address and a dynamic internal one.  The only ones with
  >  fixed internal ones are people who pcAW in to their desktop, which =
for
  >  all I know might only be me because when they set up an additional
  >  desktop for me recently they left the internal address dynamic and =
I
  >  couldn't get to it.

------=_NextPart_000_0263_01C532F4.1236FDD0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   The proxy
server is what =
enforces the=20
rules on what can or can not be accessed.  How you do this depends
= on the=20
proxy server used.  Whatever component knows about internal IP =
addresses=20
would know about users instead.
 
   Using
static IP for the =
proxy is more=20
like the reverse of the pcaw issue.  For pcaw you want to be able
= to access=20
this machine from your client system.  For the proxy, it doesn't =
want to=20
access the internal machines.  They access it.  It would
use = this=20
information to apply its machine access rules.
 
   I don't
know pix other =
than that it is=20
a firewall.  Does it provide a proxy too?
 
Rich
 

  "Ellen K." <72322.enno.esspe=">mailto:72322.enno.esspeayem.1016{at}compuserve.com">72322.enno.esspe=
ayem.1016{at}compuserve.com>=20
  wrote in message news:cdme41h26mn=
fona6m5sttd6huae03q9mvr{at}4ax.com...Where=20
  does the authentication happen then?   Does the firewall =
have=20
  toknow who all the users are?    Do
you feel up to=20
  explaining in simpleterms what a proxy server
is?Re the =
pcAW, it=20
  sounds similar to what you are saying about the otherquestion, =
i.e. if the=20
  firewall knows the machines by name, it doesn'thave to know their =
internal=20
  IP address.   Is that correct?   =
Thissimilarilty leads=20
  me to question whether maybe our firewall -- or theperson in =
charge of it=20
  -- only knows how to deal with IP addresses.  Itis a Pix=20
  firewall.On Sun, 27 Mar 2005 17:01:53 -0800,
"Rich" <{at}> =
wrote in=20
  message<424756fb$1{at}w3.nls.net>:<=">mailto:424756fb$1{at}w3.nls.net">424756fb$1{at}w3.nls.net>:<=
BR>>  =20
  I agree with the proxy though not the fixed address.  Use proxy=20
  authentication so that the rules apply to users and not the=20
  computers.>>   You
shouldn't need a fixed =
internal IP=20
  for pcAW unless this is a pcAW restriction.  As long as you have =
dynamic=20
  DNS or similar internal name resolution you should be able to use a =
dynamic=20
  address.  Just refer to the machine by name instead of=20
 
IP.>>Rich>> 
"Ellen K." <72322.enno.esspe=">mailto:72322.enno.esspeayem.1016{at}compuserve.com">72322.enno.esspe=
ayem.1016{at}compuserve.com>=20
  wrote in message news:frie411ubov=
d2ghdv5f67hdqd2rdcd22vq{at}4ax.com...> =20
  Not my area of responsibility but I always like to help if I=20
  can:>  We want to restrict the rank-and-file users to a =
few=20
  allowed sites like>  FedEx and UPS. 
In our morning =
briefing=20
  the other day it was stated that>  everyone
would have to =
have=20
  fixed IP addresses to do this (that part I> 
understand, =
since the=20
  restrictions are not to apply to everyone) and
we>  would =
have to=20
  have a proxy server.>>  I
actually don't know what =
a proxy=20
  server even is, but the IT director>  said it's=20
  complicated.   So first of all, is it true that we would=20
  need>  a proxy server?   And
secondly, if so, is =
it=20
  complicated?>>  Alternatively,
is there any other =
way to do=20
  it?  We want to leave people>  like
directors and IT =
with=20
  full internet access.   Most boxes have
no>  =
external IP=20
  address and a dynamic internal one.  The only ones =
with> =20
  fixed internal ones are people who pcAW in to their desktop, which=20
  for>  all I know might only be me because when
they set up =
an=20
  additional>  desktop for me recently they left the =
internal=20
  address dynamic and I>  couldn't get to=20
it.

------=_NextPart_000_0263_01C532F4.1236FDD0--

--- BBBS/NT v4.01 Flag-5