Currently I have a number of ( Windows - but don't hold it against me) devices at home. They connect to a switch, and at the network edge is a safe@office. Hence, all internet, mail and other traffic goes through the safe@office.

For various ( legitimate and legal) reasons, I am considering establishing/ purchasing a secure-tunneling service to allow internet and other access ( legal P2P) to be carried out over an encrypted channel.

My initial thought was to have the srervice ( at a machine distinct annual cost) established on each of the Windows devices. My second thought was to set up a proxy server for all the Windows devices to feed through and to establish the secure channel service on that one machine alone.

It occurs to me that, in either case, by establishing an encrypted channel ( www.secure-tunnel.com is but one of many examples), the safe@office would not be able to read/ decrypt the traffic, which would only be decrypted at the proxy server. This would seem to invalidate the purpose and function of the safe@office.

Short of putting the proxy server outside the safe@office, is there any means of establishing the safe@office as one end of such a channel?

Of course, I recognise that everything I have just written may be in fact total gibberish and simply display my own lack of understanding, wit and competance... :-).

I do not see how the Safe@Office can be the device that establishes this tunnel unless you find a service that offers an IPSEC VPN tunnel and allows you to either create a Site to Site or Remote Access VPN from the safe@office to their firewall/server.

I think the best practice will be to simply install the proxy server on the DMZ so traffic between the LAN and DMZ will be in clear text and as such, scanned by the firewall.

That is correct, and I apologise for my lack of clarity. Clearly the safe@office cannot establish the encrypted tunnel.

That means, however, that the device that _does_ establish the encrypted link ( most likely a PC/ Windows Server 2008 pass through proxy) must either be on the public side of the safe@office ( so that the safe@office can inspect unencrypted web and mail traffic), in which case it is less effectively defended, or on the private network side of the safe@office, in which case the safe@office cannot inspect the web and email traffic because it is encrypted.

I could, as you say, put the proxy server in the DMZ. That would seem logical... however, at the moment I am using both WAN ports on the safe@office to obtain ( legally and properly) two non-static IP addresses from my ISP.

I suspect, as you confirm, my only real solution is to lose one of the IP Addresses, and set the proxy server in the DMZ. The proxy would then establish the encrypted tunnel over the WAN port, and traffic passing to the internal subnet would then be decrypted and, I assume, inspected prior to being passed in.

I wonder if there is a way to pursuade the safe@office to make more than one DHCP request for an IP address, and assign the result to a specific port on the router side.. I will have to investigate.

My thanks for the response :-).

quote:

Originally posted by Peladon:
I wonder if there is a way to pursuade the safe@office to make more than one DHCP request for an IP address, and assign the result to a specific port on the router side.. I will have to investigate.

If you need both WAN connections, then you can create Port Based VLANs and put the proxy on another VLAN, or for that matter you can also use the Flexible WAN Port option and configure one of the LAN ports to be used as a WAN connection.

The usage of those features depends on the Hardware model and License that you have, so please open a ticket with the support team stating your MAC address to check if your device is compatible.