Sorry, probably I wasn't really clear in explaining the situation... Ok, I agree I don't want configuring my browser, also because I want to configure "client authentication in trasparent mode", so that users can address directly remote web servers and have not to reauthenticate before its authentication timeout. I think in this mode requests are forwarded automatically to the HTTP proxy (Security Server) in FW1 for the authentication.
The problem I'm reporting is that configuring "transparent authentication" as in FW1 manual it doesn't work and the problems seems to be caused by redirection to HTTP Security Server, because after the redirection, the browser try to connect to the port 80 of the Cluster IP and everythinks stops. After trying different configurations I succeded to make it work only with the following firewall configuration and in the way later described. Firewall configuration items: a) User Authentication using RADIUS protocol (with a generic user to map all users connecting to Internet). I also tested this configuration with user authentication and it works fine; b) Firewall rules are minimal (for testing): --> [EMAIL PROTECTED] Any Any http Client_Auth Log; c) client authentication options are: -> Partially automatic -> Standard Sign-On -> Session Timeout 30 mins. -> Unlimited number of sessions d) I didn't create any resource binded to http protocol; If I try to connect to a remote site, the firewall doesn't ask to me authentication and everythinks stop with the automatic redirection to port 80 of one of the two node of the cluster. Now I follow 3 step: 1) configuring manually in my browser the cluster Ip as HTTP proxy 2) authenticating but with the error of the firewall not configured as a proxy 3) removing proxy configuration from the browser and now navigating Internet as regularly authenticated. I hope I explain my problem clearly now, Thankyou in advance Fabio Teti Alle 17:10, mercoled� 25 febbraio 2004, hai scritto:?? > Hi, > Configuring Client Authentication should be straight-forward, no need to > configure anything in the browser. > > Make sure you have a user configured with authentication. >?? > Add a rule with client authentication for HTTP (and HTTPS), keep all?? ?? > defaults and install the policy on the cluster. > > Open a browser and type http://<cluster IP>:900 where <cluster IP> is the > internal cluster IP address. Firewall will challenge you for username, then > for password and finally for a Method (keep the default: Standard Sign-on). >?? > After you pass a successful authentication you can access the web from the > authenticated machine. > > For more information and advanced authentication options, please contact > me. > > Reuven Harrison > Tufin Technologies > http://www.tufin.com >?? > > -----Original Message----- > > From: Fabio Maria Teti [mailto:[EMAIL PROTECTED] > > Sent: Saturday, February 21, 2004 12:37 PM > > Subject: Client Authentication problem > > > > > > Hi All, I have a problem with NGwAI R54 and Client Authentication. > > > > Well, I start with a simple default CP configuration with two FW-1 in > > cluster > > on two IP330 NOKIA and check the Client Authentication. > > > > 1: If I write a URL in my browser to connect to a remote site, > > Firewall-1 >?? > > redirect the browser to his IP address and to port 80, and every > > thinks >?? > > stops. > > > > 2: If I configure the IP address of the Cluster like "http proxy" in > > my > > > browser, the authentication starts but the firewall return an error > > because > > > the option http_proxy_mode is not set (and this event is ok, because > > I don't?? > > > want a proxy configuration), but if at this moment if I remove the > > proxy?? > > > configuration in my browser and try to connect to the remote site, > > every > > > thinks works fine. > > > > I studied some documentation about firewall-1 and I explain what I > > think > > > about: probably the redirection to the security server of the > > firewall is > > > right for client authentication, but in this way the original URL is > > losen > > > and the firewall is not be able to find the remote site, so Client > > Authentication doesn't start. With the proxy configuration on the > > browser I > > > send to the > > firewall the remote site URL , so authentication starts, but the > > firewall > > > doesn't work like a proxy, so return an error but open the proper > > rule to > > > trust the client and leave the connection free when I remove the > > proxy set > > > in > > the browser and connect succesfully to the remote site. > > > > I am becoming crazy with my problem... can anybody help me? > > > > Thankyou thankyou... very very much! > > > > Fabio Teti ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
