topic Re: ISA 2006 proxy replacement in General Topics

ISA 2006 proxy replacement

infotech — Wed, 16 Apr 2014 18:19:11 GMT

I want to use my PA as a proxy for the internet and want to remove my current ISA 2006 proxy server. I was curious what methods others are using and if you have any detailed step by step instruction how to configure this.

Re: ISA 2006 proxy replacement

infotech — Fri, 18 Apr 2014 16:22:44 GMT

so isn't anyone using there palo as a replacement for a proxy server and if so how did you configure it?

Re: ISA 2006 proxy replacement

infotech — Tue, 22 Apr 2014 16:19:50 GMT

so isn't anyone using there palo as a replacement for a proxy server and if so how did you configure it?

Re: ISA 2006 proxy replacement

skrall — Tue, 22 Apr 2014 17:45:34 GMT

Paloalto is not a proxy. To use us as a replacement for a proxy, you would create rules that allow "application = web-browsing" and "application = ssl" and apply a URL filtering profile and an antivirus profile. You can enable SSL Decryption to act as a "man in the middle" and inspect encrypted files to protect against malware.

Re: ISA 2006 proxy replacement

Hithead — Wed, 23 Apr 2014 08:11:32 GMT

hi InfoTech,

our company was also using TMG/ISA. We replaced them with the PA. To replace the proxy with PA you have to do following:

1) Route internet traffic to the PA (ip route static 0.0.0.0 0.0.0.0 "PA-GATEWAY-INTERFACE-IP")

2) Remove from your Web-Browser ANY proxy settings (IE: internet options -> Connections -> LAN Settings). This can be done easily with GPO.

You need only your proxy, if you want to use it as a reverse proxy. Or you can use a IIS as a ARR Application Request Routing : The Official Microsoft IIS Site

Re: ISA 2006 proxy replacement

infotech — Thu, 24 Apr 2014 14:31:12 GMT

I am doing my proxy by GPO not by adding the proxy information into the web browser. So did you create groups on your PA? I wanted to give some groups full access to anything and limited to others how did you do that?

Re: ISA 2006 proxy replacement

Hithead — Thu, 24 Apr 2014 14:38:07 GMT

Hi,

we created some AD Groups and added them in the firewall policy (domain/Group-Name).

You need to configure the User-ID Agent (Install the agent on any server or use the agentless User-ID on your PA). Also you have to add your AD Groups in the "Group Mapping Settings". You will find some documentation here in the forum....

Re: ISA 2006 proxy replacement

infotech — Thu, 24 Apr 2014 15:23:55 GMT

Okay I already set up the agentless user-id on the pa and am able to add groups in the group mapping settings. So is the next step to create security policies? Is it possible to make a no proxy rule, limited access and no access groups can it be that granular? If so how do you do it?

Re: ISA 2006 proxy replacement

Hithead — Fri, 25 Apr 2014 08:12:52 GMT

it's quite difficult to explain. but read the admin guide: https://live.paloaltonetworks.com/docs/DOC-6603

And I also don't know what you want to restrict. There are so many ways to restrict and allow internet traffic. With URL Filtering, allow application, data filtering and so on...

Re: ISA 2006 proxy replacement

infotech — Fri, 25 Apr 2014 13:14:19 GMT

Thanks I will take a look

Re: ISA 2006 proxy replacement

greeng — Tue, 12 Aug 2014 18:34:51 GMT

Any luck with your transition InfoTech? I'm about to embark on the same journey and would like some insight.

Re: ISA 2006 proxy replacement

infotech — Tue, 12 Aug 2014 19:43:14 GMT

I have the rules in place but havent committed them yet so I don't know

Re: ISA 2006 proxy replacement

HITSSEC — Sun, 17 Aug 2014 00:03:13 GMT

Infotech,

We have a couple of ISA2006 servers and I like you would like to replace them. We have used Captive portal externally to force authentication along with AD group membership before forwarding the traffic to the web server. There is a double login but it works well other than that. Add some geographic filtering to the rule to make it more secure.

Phil

Re: ISA 2006 proxy replacement

greeng — Tue, 26 Aug 2014 13:39:42 GMT

All,

I believe collectively we can come up with a sound solution and procedure for moving ISA rules over to the Palo Alto. This was one of the selling points of the PA's to us. Are you aware that there is a 'tool' available by your PA reseller that is supposed to do the import/export for you? At least that is what we were informed of, then come to find out (at the time of training) the tool didn't have ISA 2006 support yet (but had others).

Re: ISA 2006 proxy replacement

infotech — Tue, 26 Aug 2014 14:18:24 GMT

Really I did not know about the tool and yes the replacement of my ISA server was a selling point for us as well. The hard part is going to be the firewall settings on the ISA and the update of the policies that are currently routing my users through the proxy.

Re: ISA 2006 proxy replacement

HITSSEC — Tue, 26 Aug 2014 19:30:27 GMT

Greeng,

Our ISA is only used to publish about 10 sites so the migration will not be so bad for us. We are only using it as an inbound proxy to Sharepoint.

Phil

Re: ISA 2006 proxy replacement

greeng — Tue, 09 Sep 2014 18:19:37 GMT

HITSSEC

Unfortunately for us, we have 30+.

A bit frustrating that no PA people have chimed in here.

Re: ISA 2006 proxy replacement

infotech — Tue, 09 Sep 2014 18:23:43 GMT

greeng may they don't have experience in ISA 2006, I am about to try to start migrating in the next two weeks and it might a bit difficult

Re: ISA 2006 proxy replacement

cpainchaud — Tue, 09 Sep 2014 21:30:14 GMT

Hi Infosec,

May be you could/should ask an integrator/partner/PAN Pro Services to help you with your migration. Given the question you posted during the past few months I fear you will need a lot of trials and energy to do this alone. Experience makes a big difference for smooth migrations.

Re: ISA 2006 proxy replacement

infotech — Wed, 10 Sep 2014 14:49:49 GMT

Yes I have been working with a PA engineer on the migration but isa 2006 is older and not a lot of people have indepth knowledge of it.