Is there any reason you are looking for a firewall and not a proxy solution? We have almost the same setup (NT 4.0 Terminal server). We use MS Proxy Server to authenticate to the web and log usage by user, and a packet-filtering firewall for outbound and inbound packet filtering. I think a proxy solution would better fix your problem in this case (but don't disregard the firewall for inbound/outbound filtering!). We have experience with the Microsoft solution, and it does the trick.
John J. Steniger > -----Original Message----- > From: Andy Jonkers [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 28, 2001 1:53 AM > To: Eric Samburn; [EMAIL PROTECTED] > Subject: Re: Firewall authentication & W2K Terminal Server > > > Hey, > > What you have written explains exactly what I'm experiencing, > and what you > are suggesting is what I need. But is it possible to give me > a product that > can do what I want. > Some people speak of a PIX, but as far as I'm aware of my > problem, they will > experience the same kind of problems. This is because, as you have > suggested, each Browser Session on a Terminal Server is a session on > itself, and all data leaving the TS seems to be from only one > user instead > of different users. > Already thanks for your answers. > > Andy > ----- Original Message ----- > From: "Eric Samburn" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 28, 2001 2:37 AM > Subject: RE: Firewall authentication & W2K Terminal Server > > > > I don't want to get into application proxy / packet > filtering debate, > > but think about it. > > > > The TS is on the internal network behind the firewall. > > Staff are logged into the TS and startup their instance of browser. > > > > >From the firewall's perspective, the traffic is TCP. The > data packets > will > > only provides src addr, src port, dest addr, dest port. Since all > > connections are from the same TS, there is no way a packet filtering > > firewall can distinguish which connection belong to which user. > > What you need is a http proxy. Some firewall provides a > http proxy that > > support proxy "Basic Authentication" (the one specified in the http > > standard). > > > > That way you can control and log all web surfing usage. > > > > Alternatively, you put a http proxy on the internal network, and the > > firewall is configured to ONLY allow the proxy server to go the Net. > > And all users from the TS need to config their browser to > use the proxy > for > > web surfing. > > > > I just can't see how a packet filtering firewall can solve > this problem. > > > > > > > > >From: "Kuff, Hal" <[EMAIL PROTECTED]> > > >To: "'Clark, Steve'" <[EMAIL PROTECTED]>, > "'[EMAIL PROTECTED]'" > > ><[EMAIL PROTECTED]> > > >Subject: RE: Firewall authentication & W2K Terminal Server > > >Date: Tue, 27 Nov 2001 19:18:54 -0500 > > > > > > > > > > > > This is indeed an old and anoying issue... we suffer > as well... it's > > >almost impossible to identify what session on a TSE > machine maps into a > > >session on a PIX.. we're interested as well. > > > > > >-----Original Message----- > > >From: Andy Jonkers [mailto:[EMAIL PROTECTED]] > > >Sent: Tuesday, November 27, 2001 5:39 PM > > >To: [EMAIL PROTECTED] > > >Subject: Firewall authentication & W2K Terminal Server > > > > > >Hey, > > > > > >I'm looking for a firewall, which can give me a solution > for the problem > > >I'll be describing. > > > > > >I've got a Windows 2000 Terminal Server, and the Terminal > Server clients > > >can > > >browse the Internet using their session. However, they need to be > > >authenticated by a firewall appliance before they are > allowed, and their > > >activity needs be logged on a user basis. > > > > > >The firewall I'm using testing for the moment -WatchGuard > Firebox II- > > >cannot > > >do what I want. Once a Terminal Server user authenticates > successfully, > all > > >other are allowed. This is because my WatchGuard > dynamically changes the > > >ACLs, because of the successfull authentication, and > allows Internet > access > > >originated from the Terminal Server Source IP. > Additionally, it cannot > log > > >on a user basis, as far as my WatchGuard is concerned it > comes from the > > >Terminal Server. > > >I've also tested the Nortel Contivity Instant Internet > Gateway, and they > > >have the same problem as above. > > >During my CheckPoint Firewall-1 training, I've asked the > same question. > The > > >Certified Instructor told me it wasn't possible on CP > FW-1, for the same > > >reasons as described above. However, I didn't have the > opportunity to > test > > >it so far. > > > > > >Does anyone know a firewall which can perform what I want? > And if yes, > can > > >he or she describe how it is done? Any help is welcome, > and I thank you > for > > >the answer(s) to my question. > > > > > >Regards, > > >Andy JONKERS > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
