Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] INLINE HTTP CLIENT AUTH - FULLY AUTOMATIC

To: [email protected]
Subject: [FW-1] INLINE HTTP CLIENT AUTH - FULLY AUTOMATIC
From: Jim Parker <[email protected]>
Date: Tue, 16 Apr 2002 20:30:16 +0100
Importance: High
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Ok guys, I need some input from you,

Can someone test/explain this next problem to me? I've been trying to figure
this out for a week.
I've tested it on SP2, SP3, SP4, SP5 and NG FP1.

In test, simple rulebase:

users@any - web_server - http - client_auth_fully_automatic
   any    -     any    - any  - drop

This rules should cause clients to be prompted inline for authentication
when connecting with a browser to a web server.

It doesn't work. I've monitored the network and captured the packets. In
brief the client auth mechanism is trying to redirect the request to the
firewall. If I add the firewall object into the rule along with the
webserver it works fine. But think about that for a minute, every service
you add to that rule opens up a port to the firewall. Hardly a sound idea?

So lets try this again using user auth:

users@any - web_server - http - user_auth
   any    -     any    - any  - drop

This works fine, inline authentication without having to add the firewall
object to the rule. So client auth doesn't use the same http authentication
mechanism? If I try client auth fully automatic with telnet instead of http
it works fine, so its a problem with http only.

Can anyone explain this? It is perfectly desirable to use client auth fully
automatic using http inline authentication but unless the firewall is in the
rule, it doesn't work. So why does user auth work?

Answers on a post card.

JP

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Easy way to not log broadcasts?
Next by Date: Re: [FW-1] VPN
Previous by thread: Re: [FW-1] CheckPoint NG and Stonebeat Fullcluster 3.0 in Solaris 8 (64 bit s)
Next by thread: [FW-1] syslog traffic
Index(es):
- Date
- Thread