Hey, What you have written explains exactly what I'm experiencing, and what you are suggesting is what I need. But is it possible to give me a product that can do what I want. Some people speak of a PIX, but as far as I'm aware of my problem, they will experience the same kind of problems. This is because, as you have suggested, each Browser Session on a Terminal Server is a session on itself, and all data leaving the TS seems to be from only one user instead of different users. Already thanks for your answers.
Andy ----- Original Message ----- From: "Eric Samburn" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 28, 2001 2:37 AM Subject: RE: Firewall authentication & W2K Terminal Server > I don't want to get into application proxy / packet filtering debate, > but think about it. > > The TS is on the internal network behind the firewall. > Staff are logged into the TS and startup their instance of browser. > > >From the firewall's perspective, the traffic is TCP. The data packets will > only provides src addr, src port, dest addr, dest port. Since all > connections are from the same TS, there is no way a packet filtering > firewall can distinguish which connection belong to which user. > What you need is a http proxy. Some firewall provides a http proxy that > support proxy "Basic Authentication" (the one specified in the http > standard). > > That way you can control and log all web surfing usage. > > Alternatively, you put a http proxy on the internal network, and the > firewall is configured to ONLY allow the proxy server to go the Net. > And all users from the TS need to config their browser to use the proxy for > web surfing. > > I just can't see how a packet filtering firewall can solve this problem. > > > > >From: "Kuff, Hal" <[EMAIL PROTECTED]> > >To: "'Clark, Steve'" <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" > ><[EMAIL PROTECTED]> > >Subject: RE: Firewall authentication & W2K Terminal Server > >Date: Tue, 27 Nov 2001 19:18:54 -0500 > > > > > > > > This is indeed an old and anoying issue... we suffer as well... it's > >almost impossible to identify what session on a TSE machine maps into a > >session on a PIX.. we're interested as well. > > > >-----Original Message----- > >From: Andy Jonkers [mailto:[EMAIL PROTECTED]] > >Sent: Tuesday, November 27, 2001 5:39 PM > >To: [EMAIL PROTECTED] > >Subject: Firewall authentication & W2K Terminal Server > > > >Hey, > > > >I'm looking for a firewall, which can give me a solution for the problem > >I'll be describing. > > > >I've got a Windows 2000 Terminal Server, and the Terminal Server clients > >can > >browse the Internet using their session. However, they need to be > >authenticated by a firewall appliance before they are allowed, and their > >activity needs be logged on a user basis. > > > >The firewall I'm using testing for the moment -WatchGuard Firebox II- > >cannot > >do what I want. Once a Terminal Server user authenticates successfully, all > >other are allowed. This is because my WatchGuard dynamically changes the > >ACLs, because of the successfull authentication, and allows Internet access > >originated from the Terminal Server Source IP. Additionally, it cannot log > >on a user basis, as far as my WatchGuard is concerned it comes from the > >Terminal Server. > >I've also tested the Nortel Contivity Instant Internet Gateway, and they > >have the same problem as above. > >During my CheckPoint Firewall-1 training, I've asked the same question. The > >Certified Instructor told me it wasn't possible on CP FW-1, for the same > >reasons as described above. However, I didn't have the opportunity to test > >it so far. > > > >Does anyone know a firewall which can perform what I want? And if yes, can > >he or she describe how it is done? Any help is welcome, and I thank you for > >the answer(s) to my question. > > > >Regards, > >Andy JONKERS > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
