From: Ellen K. 

OK, I'm starting to get it.  So a "proxy server" can be all software?

Well, the reason the two cases seemed similar to me is that they both
require the firewall to know more than IP addresses.   But it does seem
like having to know who is trying to access you is harder than knowing whom
to access.

No idea whether pix provides a proxy and maybe the guy in charge of it
doesn't know either, he was the one who said the internal IP addresses
would have to be fixed.   I do know that it lets you configure rules on
a port-by-port basis which can be IP-address-based and/or time-based, I
found that out when I was researching our FTP practices.

On Sun, 27 Mar 2005 17:40:30 -0800, "Rich"  wrote in message
:

>   The proxy server is what enforces the rules on what can or can not be
accessed.  How you do this depends on the proxy server used.  Whatever
component knows about internal IP addresses would know about users instead.
>
>   Using static IP for the proxy is more like the reverse of the pcaw issue.
For pcaw you want to be able to access this machine from your client
system. For the proxy, it doesn't want to access the internal machines. 
They access it.  It would use this information to apply its machine access
rules.
>
>   I don't know pix other than that it is a firewall.  Does it provide a proxy
too?
>
>Rich
>
>  "Ellen K." 
wrote in message
news:cdme41h26mnfona6m5sttd6huae03q9mvr{at}4ax.com...
>  Where does the authentication happen then?   Does the firewall have to
>  know who all the users are?    Do you feel up to explaining in simple
>  terms what a proxy server is?
>
>  Re the pcAW, it sounds similar to what you are saying about the other
>  question, i.e. if the firewall knows the machines by name, it doesn't
>  have to know their internal IP address.   Is that correct?   This
>  similarilty leads me to question whether maybe our firewall -- or the
>  person in charge of it -- only knows how to deal with IP addresses.  It
>  is a Pix firewall.
>
>  On Sun, 27 Mar 2005 17:01:53 -0800, "Rich"  wrote in message
>  :
>
>  >   I agree with the proxy though not the fixed address.  Use proxy
authentication so that the rules apply to users and not the computers.
>  >
>  >   You shouldn't need a fixed internal IP for pcAW unless this is a pcAW
restriction.  As long as you have dynamic DNS or similar internal name
resolution you should be able to use a dynamic address.  Just refer to the
machine by name instead of IP.
>  >
>  >Rich
>  >
>  >  "Ellen K."
 wrote in message
news:frie411ubovd2ghdv5f67hdqd2rdcd22vq{at}4ax.com...
>  >  Not my area of responsibility but I always like to help if I can:
>  >  We want to restrict the rank-and-file users to a few allowed sites like
>  >  FedEx and UPS.  In our morning briefing the other day it was stated that
>  >  everyone would have to have fixed IP addresses to do this (that part I
>  >  understand, since the restrictions are not to apply to everyone) and we
>  >  would have to have a proxy server.
>  >
>  >  I actually don't know what a proxy server even is, but the IT director
>  >  said it's complicated.   So first of all, is it true that we would need
>  >  a proxy server?   And secondly, if so, is it complicated?
>  >
>  >  Alternatively, is there any other way to do it?  We want to leave people
>  >  like directors and IT with full internet access.   Most boxes have no
>  >  external IP address and a dynamic internal one.  The only ones with
>  >  fixed internal ones are people who pcAW in to their desktop, which for
>  >  all I know might only be me because when they set up an additional
>  >  desktop for me recently they left the internal address dynamic and I
>  >  couldn't get to it.

--- BBBS/NT v4.01 Flag-5