01-04-2009 10:13 PM
I'm setting up a couple of new SSG-140 devies running Screen OS 6.2.0. These devices will be oprating to isolate a couple of network enclaves from our main network. As such they're located behind our corporate security perimeter, and are unable to connect to the Internet, except via a Proxy server.
I'm new to configuring these devices. Everything I've read so far, in the doucmentation and knowledge base tells me that the device must have a direct connection to the Internet (not via a proxy) in order to retreive subscription updates from the entitlement server (I've subscribed to AV and DI signatures). I was wondering if there might be some kind of work-around to enable me to get the updates even though I'm behind a proxy. I'd be happy with even a kludgey, manual process, if that's what's necessary.
Thanks, in advance.
01-05-2009 09:30 PM - edited 01-05-2009 10:06 PM
This is an excerpt from the user guide regarding this:
1. Downloading the Signature Pack
To save the signature pack to your local server, enter the following URL in the
address field of your browser. See Table 6 on page 125 for a list of predefined
signatures packs and the corresponding URLs.
n=0043012001000213Save attacks.bin to the local directory “C:\netscreen\attacks-db” (for loading via
the WebUI) or to your TFTP server directory C:\Program Files\TFTP Server
(when you want to use the CLI to load it).
2. Updating the Signature Pack
Configuration > Update > Attack Signature: Enter the following, then click OK:
Deep Inspection Signature Update:
Load File: Enter C:\netscreen\attacks-db\attacks.bin
Click Browse and navigate to that directory, select attacks.bin, then clickOpen.
If you downloaded the server, client, or worm protection signature packs, then
enter the appropriate filename.
save attack-db from tftp 10.1.1.5 attacks.bin to flash
Updating DI Patterns from a Proxy Server
You can update the DI patterns from a proxy server. This update does not require
Internet connectivity and is done offline.
To configure a proxy server:
Security > Proxy: Set the HTTP and SSL proxy addresses, then click Apply:
HTTP Proxy: 10.0.0.5:8080
SSL Proxy: 10.0.0.5:443
set pattern-update proxy http 10.0.0.5:8080
NOTE: You cannot configure an HTTPs proxy, because you cannot cache an HTTPs proxy.
The AV update procedure can be found on Pg 81 - Volume 4 of the ScreenOS 6.2 Reference Guide.
I was once stuck in the same situation as yours while trying to upgrade the license entitlement for an ISG running 5.x code.
The customer was a large university forcing all internet access through a proxy server (non-transparent). What I did was setup the proxy on my laptop and connected to the internet using wireless. Then I used the 'Internet Connection Sharing' (ICS) feature in Windows XP to let the ISG box access the internet through me. Was pretty annoying to setup, but it worked like a charm.