ISA 2006 proxy replacement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ISA 2006 proxy replacement

L4 Transporter

I want to use my PA as a proxy for the internet and want to remove my current  ISA 2006 proxy server. I was curious what methods others are using and if you have any detailed step by step instruction how to configure this.

30 REPLIES 30

L4 Transporter

so isn't anyone using there palo as a replacement for a proxy server and if so how did you configure it?

L4 Transporter

so isn't anyone using there palo as a replacement for a proxy server and if so how did you configure it?

L4 Transporter

Paloalto is not a proxy. To use us as a replacement for a proxy, you would create rules that allow "application = web-browsing" and "application = ssl" and apply a URL filtering profile and an antivirus profile. You can enable SSL Decryption to act as a "man in the middle" and inspect encrypted files to protect against malware.

L4 Transporter

hi InfoTech,

our company was also using TMG/ISA. We replaced them with the PA. To replace the proxy with PA you have to do following:

1) Route internet traffic to the PA (ip route static 0.0.0.0 0.0.0.0 "PA-GATEWAY-INTERFACE-IP")

2) Remove from your Web-Browser ANY proxy settings (IE: internet options -> Connections -> LAN Settings). This can be done easily with GPO.

You need only your proxy, if you want to use it as a reverse proxy. Or you can use a IIS as a ARR Application Request Routing : The Official Microsoft IIS Site


I am doing my proxy by GPO not by adding the proxy information into the web browser.  So did you create groups on your PA? I wanted to give some groups full access to anything and limited to others how did you do that?

Hi,

we created some AD Groups and added them in the firewall policy (domain/Group-Name).

You need to configure the User-ID Agent (Install the agent on any server or use the agentless User-ID on your PA). Also you have to add your AD Groups in the "Group Mapping Settings". You will find some documentation here in the forum....

Okay I already set up the agentless user-id on the pa and am able to add groups in the group mapping settings. So is the next step to create security policies? Is it possible to make a no proxy rule, limited access and no access groups can it be that granular? If so how do you do it?

it's quite difficult to explain. but read the admin guide: https://live.paloaltonetworks.com/docs/DOC-6603

And I also don't know what you want to restrict. There are so many ways to restrict and allow internet traffic. With URL Filtering, allow application, data filtering and so on...

Thanks I will take a look

Any luck with your transition InfoTech?  I'm about to embark on the same journey and would like some insight.

I have the rules in place but havent committed them yet so I don't know

L4 Transporter

Infotech,

We have a couple of ISA2006 servers and I like you would like to replace them.  We have used Captive portal externally to force authentication along with AD group membership before forwarding the traffic to the web server.  There is a double login but it works well other than that.  Add some geographic filtering to the rule to make it more secure.

Phil

All,

I believe collectively we can come up with a sound solution and procedure for moving ISA rules over to the Palo Alto.  This was one of the selling points of the PA's to us.  Are you aware that there is a 'tool' available by your PA reseller that is supposed to do the import/export for you?  At least that is what we were informed of, then come to find out (at the time of training) the tool didn't have ISA 2006 support yet (but had others).

Really I did not know about the tool and yes the replacement of my ISA server was a selling point for us as well. The hard part is going to be the firewall settings on the ISA and the update of the policies that are currently routing my users through the proxy.

  • 9601 Views
  • 30 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!