Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall

Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall

Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall


Hi everybody! Nice to find you all here! :)

So here is our issue. As we have a TMG 2010 in use as a proxy server, which is no loger supported, we wanted to replace it. So we have bought a Watchguard Firebox M200 in order ro do so.

Our current topology is the following. Our internal network (PCs and servers) connect to switches which all have a set gateway, which is a central switch. This central switch has a default route which points to an ASA 5515 with CX installed. The ASA routes all traffic to a cisco 2901 router which has multiple WANs. The TMG IP is set in the Internet options of all PCs and servers as a proxy (via GPO). In the network setting of the network adapters (in the TCP/IPv4 options) we have set as gateway the IP address of the central switch.

This is a simplified decription of the network, as there are other things in play, such a a DMZ on the ASA, a couple of site to site VPNs on the ASA and annyconect users connecting from outside. But let's leave these aside in order to make the scenario simpler.

What we had in mind was to go slow at first and only replace the TMG 2010 Proxy function for the internet access of our users with the Firebox M200. At the same time we want to continue using the ASA 5515 for all that we have setup on it (which is quite a few things, no point in going into these now). So we just want to get rid of the TMG 2010 at first. Maybe later we will completely replace the ASA with the Firebox, but this is just a future plan for now.

What we had in mind was that we would simply replace the IP address of the TMG with the IP address of the Firebox (the one set in the Internet options of all PCs and servers as a proxy via GPO) and that would do the trick.

It turns out that it isn't working this way, or at least we haven't managed to get this to work so. When we set the IP of the proxy as the Firebox IP, at first it was blocked by the Firebox as it was identified as traffic to the Firebox. After allowed this, it is still not working, as we get no relevant entries on the traffic monitor, but on the browser we get an error message "The proxy server isn’t responding".

If we set the Firebox IP as the gateway on a network adapter options in the TCP/IPv4 options of the PC, the internet access works just fine.

So we are now wondering. Is it possible to use the Firebox as a proxy like we used to do with the TMG (defined as a proxy in the internet options)?

If not what are the alternatives?

Please keep in mind that, at least for the servers, we need to keep the ASA in play, so we cannot change the default gateway (in the the TCP/IPv4 options of the network adapters on the servers), as they would not connect with the ASA anymore and nothing else would work.

Unless there is a way the pass all the traffic (except for the HTTP and HTTPS ports) through the Firebox and towards the ASA. The only thing that confuses us at the time is that both these are on the inside/trusted network and the Firebox seems to only let traffic come out from an external. Or have we got this wrong.

Many thanks in advance for any help you can give.

RE: Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall

You can run the WG in bridge mode


But why? The M200 blows the ASA out of the water in terms of performance and ease of configuration.

Emulating the ASA config onto the WG really isnt that hard. Your port forwarding is done with SNAT rules, and there are no nasty NAT + ACLs to configure.

I really think if you got someone in who knew their stuff (smile) then migrating will be a simple case of changing a patch lead, and no one would even notice.

General Geek

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close