Sveinung Rage <[EMAIL PROTECTED]> wrote:
>| I have a question regarding NAT and ACE client/server communication.
>|
>| I'm trying to set up a ACE WebID agent on my internal web-server, which is
>| made awailable for external users using NAT static address mapping. I have
>| an ACE server located on another interface on my Checkpoint FW-1. The ACE
>| server has a valid IP-address.
Adam is correct. The exchange between the ACE/Server and the
ACE/Agent in FW-1 is fine, but the exchange between your ACE/Server and the
(WebID) ACE/Agent in the webserver on your internal net is the being
disrupted because of the address translation.
The exchange of hashes used to secure the the transfer of the
authentication request (and the reply) between the various ACE Agents and
the ACE/Server include time; a given user's SecurID passcode; the
ACE/Agent's secret key; and the ACE/Agent's IP address.
Don't despair. In many situations, particularly when you have a
static NAT address mapping, there are workarounds available. Unfortunately,
they vary depending on your architecture, FW-1 configuration, and (in this
case) which web server you are running.
You really should talk to your SSE or contact RSA's Customer
Support. They can probably help you fairly quickly.
(The nifty new ACE protocol Adam mentioned -- used in RSA's new Keon
5.x family of application-oriented AAA, SSO, and PKI products -- uses SSL
for security and will not have this problem. Unfortunately, it will
probably be another year or so before we see a version of the ACE/Server and
ACE/Clients that will support the new protocol.)
I've been a consultant to RSA Security (ne Security Dynamics) since
the stone age, and my objectivity is suspect.
Suerte,
_Vin
>| When trying to authenticate with my SecurID card, i keep getting the message
>| "PASSCODE incorrect".
>| And this only happen when I try to authenticate from a NAT-ed
>| server/workstation.
>|
>| Anyone who know the reason/workaround?
>
>
>
>At 03:53 PM 9/28/99 -0400, Adam Shostack wrote:
>I suspect that the issis is that the Ace protocol uses your IP address
>as part of an encryption key, and this fails over NAT. In theory,
>there is a new ACE client/server protocol, but its not used by default
>because of back compatability mode.
<snip>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
