[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] INLINE HTTP CLIENT AUTH - FULLY AUTOMATIC
Ok guys, I need some input from you, Can someone test/explain this next problem to me? I've been trying to figure this out for a week. I've tested it on SP2, SP3, SP4, SP5 and NG FP1. In test, simple rulebase: users@any - web_server - http - client_auth_fully_automatic any - any - any - drop This rules should cause clients to be prompted inline for authentication when connecting with a browser to a web server. It doesn't work. I've monitored the network and captured the packets. In brief the client auth mechanism is trying to redirect the request to the firewall. If I add the firewall object into the rule along with the webserver it works fine. But think about that for a minute, every service you add to that rule opens up a port to the firewall. Hardly a sound idea? So lets try this again using user auth: users@any - web_server - http - user_auth any - any - any - drop This works fine, inline authentication without having to add the firewall object to the rule. So client auth doesn't use the same http authentication mechanism? If I try client auth fully automatic with telnet instead of http it works fine, so its a problem with http only. Can anyone explain this? It is perfectly desirable to use client auth fully automatic using http inline authentication but unless the firewall is in the rule, it doesn't work. So why does user auth work? Answers on a post card. JP ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|