Actually that's not the case. Unless the TS is the same server as everyone
else, when staff are using their browser, it will be using a different
outbound rule. The TS server has it's own rule.
Steve Clark
Clark Systems Support, LLC
AVIEN Charter Member
"Who's watching your network?"
www.clarksupport.com
301-610-9584 voice
240-465-0323 Efax
�
The data furnished in connection with this document is deemed by Clark
Systems Support, LLC., to contain proprietary and privileged information and
shall not be disclosed or used for the benefit of others without the prior
written permission of Clark Systems Support, LLC.
-----Original Message-----
From: Eric Samburn [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 27, 2001 8:38 PM
To: [EMAIL PROTECTED]
Subject: RE: Firewall authentication & W2K Terminal Server
I don't want to get into application proxy / packet filtering debate,
but think about it.
The TS is on the internal network behind the firewall.
Staff are logged into the TS and startup their instance of browser.
>From the firewall's perspective, the traffic is TCP. The data packets will
only provides src addr, src port, dest addr, dest port. Since all
connections are from the same TS, there is no way a packet filtering
firewall can distinguish which connection belong to which user.
What you need is a http proxy. Some firewall provides a http proxy that
support proxy "Basic Authentication" (the one specified in the http
standard).
That way you can control and log all web surfing usage.
Alternatively, you put a http proxy on the internal network, and the
firewall is configured to ONLY allow the proxy server to go the Net.
And all users from the TS need to config their browser to use the proxy for
web surfing.
I just can't see how a packet filtering firewall can solve this problem.
>From: "Kuff, Hal" <[EMAIL PROTECTED]>
>To: "'Clark, Steve'" <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'"
><[EMAIL PROTECTED]>
>Subject: RE: Firewall authentication & W2K Terminal Server
>Date: Tue, 27 Nov 2001 19:18:54 -0500
>
>
>
> This is indeed an old and anoying issue... we suffer as well... it's
>almost impossible to identify what session on a TSE machine maps into a
>session on a PIX.. we're interested as well.
>
>-----Original Message-----
>From: Andy Jonkers [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, November 27, 2001 5:39 PM
>To: [EMAIL PROTECTED]
>Subject: Firewall authentication & W2K Terminal Server
>
>Hey,
>
>I'm looking for a firewall, which can give me a solution for the problem
>I'll be describing.
>
>I've got a Windows 2000 Terminal Server, and the Terminal Server clients
>can
>browse the Internet using their session. However, they need to be
>authenticated by a firewall appliance before they are allowed, and their
>activity needs be logged on a user basis.
>
>The firewall I'm using testing for the moment -WatchGuard Firebox II-
>cannot
>do what I want. Once a Terminal Server user authenticates successfully, all
>other are allowed. This is because my WatchGuard dynamically changes the
>ACLs, because of the successfull authentication, and allows Internet access
>originated from the Terminal Server Source IP. Additionally, it cannot log
>on a user basis, as far as my WatchGuard is concerned it comes from the
>Terminal Server.
>I've also tested the Nortel Contivity Instant Internet Gateway, and they
>have the same problem as above.
>During my CheckPoint Firewall-1 training, I've asked the same question. The
>Certified Instructor told me it wasn't possible on CP FW-1, for the same
>reasons as described above. However, I didn't have the opportunity to test
>it so far.
>
>Does anyone know a firewall which can perform what I want? And if yes, can
>he or she describe how it is done? Any help is welcome, and I thank you for
>the answer(s) to my question.
>
>Regards,
>Andy JONKERS
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
