Try adding in the module's object into the destination on the client auth
rule.
It perform a redirect using fwauthredirect and requires http authenticated
access to the module.
Justin
|---------+-------------------------------------------->
| | Fabio Maria Teti |
| | <[EMAIL PROTECTED]> |
| | Sent by: Mailing list for |
| | discussion of Firewall-1 |
| | <[EMAIL PROTECTED]|
| | KPOINT.COM> |
| | |
| | |
| | 26/02/2004 04:03 |
| | Please respond to Mailing list |
| | for discussion of Firewall-1 |
| | |
|---------+-------------------------------------------->
>-----------------------------------------------------------------------------------------------|
|
|
| To: [EMAIL PROTECTED] |
| cc:
|
| Subject: [FW-1] Client Authentication problem 2nd
|
>-----------------------------------------------------------------------------------------------|
Sorry, probably I wasn't really clear in explaining the situation...
Ok, I agree I don't want configuring my browser, also because I want to
configure "client authentication in trasparent mode", so that users can
address directly remote web servers and have not to reauthenticate before
its
authentication timeout. I think in this mode requests are forwarded
automatically to the HTTP proxy (Security Server) in FW1 for the
authentication.
The problem I'm reporting is that configuring "transparent authentication"
as
in FW1 manual it doesn't work and the problems seems to be caused by
redirection to HTTP Security Server, because after the redirection, the
browser try to connect to the port 80 of the Cluster IP and everythinks
stops.
After trying different configurations I succeded to make it work only with
the
following firewall configuration and in the way later described.
Firewall configuration items:
a) User Authentication using RADIUS protocol (with a generic user to map
all
users connecting to Internet). I also tested this configuration with user
authentication and it works fine;
b) Firewall rules are minimal (for testing):
--> [EMAIL PROTECTED] Any Any http Client_Auth Log;
c) client authentication options are:
-> Partially automatic
-> Standard Sign-On
-> Session Timeout 30 mins.
-> Unlimited number of sessions
d) I didn't create any resource binded to http protocol;
If I try to connect to a remote site, the firewall doesn't ask to me
authentication and everythinks stop with the automatic redirection to port
80
of one of the two node of the cluster.
Now I follow 3 step:
1) configuring manually in my browser the cluster Ip as HTTP proxy
2) authenticating but with the error of the firewall not configured as a
proxy
3) removing proxy configuration from the browser and now navigating
Internet
as regularly authenticated.
I hope I explain my problem clearly now,
Thankyou in advance
Fabio Teti
Alle 17:10, mercoled� 25 febbraio 2004, hai scritto:??
> Hi,
> Configuring Client Authentication should be straight-forward, no need to
> configure anything in the browser.
>
> Make sure you have a user configured with authentication.
>??
> Add a rule with client authentication for HTTP (and HTTPS), keep all?? ??
> defaults and install the policy on the cluster.
>
> Open a browser and type http://<cluster IP>:900 where <cluster IP> is the
> internal cluster IP address. Firewall will challenge you for username,
then
> for password and finally for a Method (keep the default: Standard
Sign-on).
>??
> After you pass a successful authentication you can access the web from
the
> authenticated machine.
>
> For more information and advanced authentication options, please contact
> me.
>
> Reuven Harrison
> Tufin Technologies
> http://www.tufin.com
>??
> > -----Original Message-----
> > From: Fabio Maria Teti [mailto:[EMAIL PROTECTED]
> > Sent: Saturday, February 21, 2004 12:37 PM
> > Subject: Client Authentication problem
> >
> >
> > Hi All, I have a problem with NGwAI R54 and Client Authentication.
> >
> > Well, I start with a simple default CP configuration with two FW-1 in
> > cluster
> > on two IP330 NOKIA and check the Client Authentication.
> >
> > 1: If I write a URL in my browser to connect to a remote site,
>
> Firewall-1
>??
> > redirect the browser to his IP address and to port 80, and every
>
> thinks
>??
> > stops.
> >
> > 2: If I configure the IP address of the Cluster like "http proxy" in
>
> my
>
> > browser, the authentication starts but the firewall return an error
>
> because
>
> > the option http_proxy_mode is not set (and this event is ok, because
>
> I don't??
>
> > want a proxy configuration), but if at this moment if I remove the
>
> proxy??
>
> > configuration in my browser and try to connect to the remote site,
>
> every
>
> > thinks works fine.
> >
> > I studied some documentation about firewall-1 and I explain what I
>
> think
>
> > about: probably the redirection to the security server of the
>
> firewall is
>
> > right for client authentication, but in this way the original URL is
>
> losen
>
> > and the firewall is not be able to find the remote site, so Client
> > Authentication doesn't start. With the proxy configuration on the
>
> browser I
>
> > send to the
> > firewall the remote site URL , so authentication starts, but the
>
> firewall
>
> > doesn't work like a proxy, so return an error but open the proper
>
> rule to
>
> > trust the client and leave the connection free when I remove the
>
> proxy set
>
> > in
> > the browser and connect succesfully to the remote site.
> >
> > I am becoming crazy with my problem... can anybody help me?
> >
> > Thankyou thankyou... very very much!
> >
> > Fabio Teti
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
The following message has been automatically added by
the Internet mail gateway to comply with a Promina Group Limited IT
Security requirement:
"This e-mail has arrived via the Internet and, therefore,
you should be cautious about its origin and content.
Replies which contain sensitive information or
legal/contractual obligations are particularly vulnerable.
In these cases you should not reply unless you are authorised
to do so, and adequate encryption is employed."
If you have any questions, please contact the Customer
Support Helpdesk on +61 02 9978 9072.
CAUTION - This message is intended for the addressee named above
It may contain privileged or confidential information. If you are not the
intended recipient of this message you must not use, copy, distribute or
disclose it to anyone other than the addressee. If you have received
this message in error please return the message to the sender by
replying to it and then delete the message from your computer.
Internet emails are not necessarily secure. Promina Group Limited does not
accept responsibility for changes made to this message after it was sent
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
