- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-16-2014 11:19 AM
I want to use my PA as a proxy for the internet and want to remove my current ISA 2006 proxy server. I was curious what methods others are using and if you have any detailed step by step instruction how to configure this.
04-22-2014 10:45 AM
Paloalto is not a proxy. To use us as a replacement for a proxy, you would create rules that allow "application = web-browsing" and "application = ssl" and apply a URL filtering profile and an antivirus profile. You can enable SSL Decryption to act as a "man in the middle" and inspect encrypted files to protect against malware.
04-23-2014 01:11 AM
hi InfoTech,
our company was also using TMG/ISA. We replaced them with the PA. To replace the proxy with PA you have to do following:
1) Route internet traffic to the PA (ip route static 0.0.0.0 0.0.0.0 "PA-GATEWAY-INTERFACE-IP")
2) Remove from your Web-Browser ANY proxy settings (IE: internet options -> Connections -> LAN Settings). This can be done easily with GPO.
You need only your proxy, if you want to use it as a reverse proxy. Or you can use a IIS as a ARR Application Request Routing : The Official Microsoft IIS Site
04-24-2014 07:31 AM
I am doing my proxy by GPO not by adding the proxy information into the web browser. So did you create groups on your PA? I wanted to give some groups full access to anything and limited to others how did you do that?
04-24-2014 07:38 AM
Hi,
we created some AD Groups and added them in the firewall policy (domain/Group-Name).
You need to configure the User-ID Agent (Install the agent on any server or use the agentless User-ID on your PA). Also you have to add your AD Groups in the "Group Mapping Settings". You will find some documentation here in the forum....
04-24-2014 08:23 AM
Okay I already set up the agentless user-id on the pa and am able to add groups in the group mapping settings. So is the next step to create security policies? Is it possible to make a no proxy rule, limited access and no access groups can it be that granular? If so how do you do it?
04-25-2014 01:12 AM
it's quite difficult to explain. but read the admin guide: https://live.paloaltonetworks.com/docs/DOC-6603
And I also don't know what you want to restrict. There are so many ways to restrict and allow internet traffic. With URL Filtering, allow application, data filtering and so on...
04-25-2014 06:14 AM
Thanks I will take a look
08-12-2014 11:34 AM
Any luck with your transition InfoTech? I'm about to embark on the same journey and would like some insight.
08-12-2014 12:43 PM
I have the rules in place but havent committed them yet so I don't know
08-16-2014 05:03 PM
Infotech,
We have a couple of ISA2006 servers and I like you would like to replace them. We have used Captive portal externally to force authentication along with AD group membership before forwarding the traffic to the web server. There is a double login but it works well other than that. Add some geographic filtering to the rule to make it more secure.
Phil
08-26-2014 06:39 AM
All,
I believe collectively we can come up with a sound solution and procedure for moving ISA rules over to the Palo Alto. This was one of the selling points of the PA's to us. Are you aware that there is a 'tool' available by your PA reseller that is supposed to do the import/export for you? At least that is what we were informed of, then come to find out (at the time of training) the tool didn't have ISA 2006 support yet (but had others).
08-26-2014 07:18 AM
Really I did not know about the tool and yes the replacement of my ISA server was a selling point for us as well. The hard part is going to be the firewall settings on the ISA and the update of the policies that are currently routing my users through the proxy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!