ISA 2006 proxy replacement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ISA 2006 proxy replacement

L4 Transporter

I want to use my PA as a proxy for the internet and want to remove my current  ISA 2006 proxy server. I was curious what methods others are using and if you have any detailed step by step instruction how to configure this.

30 REPLIES 30

Greeng,

Our ISA is only used to publish about 10 sites so the migration will not be so bad for us.  We are only using it as an inbound proxy to Sharepoint.

Phil

HITSSEC

Unfortunately for us, we have 30+.

A bit frustrating that no PA people have chimed in here.

greeng may they don't have experience in ISA 2006, I am about to try to start migrating in the next two weeks and it might a bit difficult

Hi Infosec,

May be you could/should ask an integrator/partner/PAN Pro Services to help you with your migration. Given the question you posted during the past few months I fear you will need a lot of trials and energy to do this alone. Experience makes a big difference for smooth migrations.

Yes I have been working with a PA engineer on the migration but isa 2006 is older and not a lot of people have indepth knowledge of it.

L4 Transporter

I am PANW Professional Services and used to admin ISA 2000 to 2006 and Forefront TMG as well.

Even without that, as long as customer starts 'explaining' what is the intent of his legacy product filtering rules, I can usually make PAN device work the same way. It's also true with our partners.

I would like to avoid you the pitfalls of migrations with someone experienced on PANW at your side. Up to you Smiley Happy

Thanks I would like to avoid the pitfalls of the migration myself that is why I work with a PA engineer and also like to get different view points on the community boards. I began learning  PA last December when we implemented our first  and then configured our second along with managing all other areas of the  network.

The intent of my migration from an ISA 2006 firewall is to move foff of old technology to better improve over all security. Currently different users are give access or blocked from access to certain web sites via the proxy server based on GPO. The first step we took was to create security policies based on the level of access allowed to a certain type of user. Next step is to enable those policies on the PA and slowly remove those blocked site from the ISA and assure that the PA is doing all the filtering.

Next will be to change the rules and the GPO's so that the users,at all facilitues,no longer go through the ISA but directly to the PA.

L4 Transporter

Currently I have a PA 3020 at my central facility and the ISA 2006 server. At the remote sites I have ASA 5505 and the users are being sent back to the central facility via an active directory GPO and there internet filtered by the ISA server.  Is there any way to send them back to the PA instead of the ISA for their filtered internet?

The PA is not a proxy, so for it to filter the users you have to have it cross the PA for the internet access.

I assume your ASA connects via a vpn site-to-site tunnel.  If this is true you can setup the remote site as a non-split tunnel and send all traffic to the core site with the Palo Alto and they get their internet access from here.

To do this you create a separate routing domain on the ASA with your local LAN users and connect this to the vpn.  The default route for this domain is the vpn tunnel.  So all traffic from the users comes to the core.

The main routing domain has the vpn gateway interface and connects the actual tunnel endpoints only.

On Cisco routers these are called VRF, but I'm pretty sure they have a different name on the ASA.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I know its not a proxy in the truest of senses but it can be used to block web sites that are not appropriate or are harmfull. We are currently routing traffic from our branches across a vpn tunnel for our service I would expect we could do the same with bringing them back for the filtered internet.\

Also when I was looking at these the PA engineer told me it was not a proxy but could replace  my ISA server

The PA can definitely replace the filtering functions on the ISA.

Your configuration issue is just with the routing domain.  From your description, right now you have local internet routing at the ASA site but via the proxy server web browser settings the actual internet path is the ISA server at your PA location.  This method is not applicable to the PA web filtering.

You need to change the routing setup on the ASA so that the default route for internet traffic on the user subnet takes the vpn tunnel.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

I will check the setting on my cisco Steven and see what needs to be done with the routing

I have further checked into the method used to bring our remote sites back to the main site for internet access and web site filtering. The users are being directed back to the proxy server through a GPO that sets  the internet options\connections\LAN settings\proxy server  to the proxy server. There are no settings on the cisco firewall its only using a GPO. Can this be updated to point to the PA throught the GPO instead by setting the IE options internet options\connections\LAN settings\proxy server  to the PA instead of the proxy server?

Unfortunately, you cannot use browser proxy settings to direct internet traffic to the PA as you do with the ISA proxy server.  I'm sorry my previous attempts to explain the difference are unclear.

The PA web filtering relies on traffic routing to deliver the web browsing traffic to the PA firewall and then from the firewall on to the internet.  The inspection takes place by rules applied then to this traffic.

With a remote site that has their own internet access, you  need to configure a separated routing domain for the user traffic that has a default route into the vpn tunnel up to your PA site.  This is the only way the internet traffic can then come through the PA before browsing.

You will need to change the routing architecture of the remote site to get the traffic up to the Palo Alto for web browsing.

Naturally, you could replace the ASA  with a PA200 instead and do the inspection locally.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 8167 Views
  • 30 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!