Hi, authentication using a Web page is possible when you have used Client Authentication. The user connects to the Firewall, authenticates, and then his IP address is able to use the services accepted by a rule like
users@InternalNet Internet anyService ClientAuth ... For the authentication is a direct connection to the Firewall necessary, so you will have to accept this before your Stealth rule - or, you put the rule for authentication before this rule. The connection is (using default ports) to port 900/tcp. But you can change this by editing $FWDIR/conf/fwauthd.conf to any other port you want. Just find the line 900 fwssd in.ahclientd wait 900 and customize the port. Connecting the configured port with http will not require a separate Web server, but has to be accepted by the Firewall. The pages can be customized by editing the HTML-files at $FWDIR/conf/ahclientd. Be careful not to "destroy" the forms. It's necessary to define the users in the user manager. First, define a template and then each user. They can also be imported, if you have exported them before (fwm dbexport / fwm dbimport). If you want to use HTTPS/SSL for authentication, please have a look at http://www.fw-1.de/aerasec/ng/client-auth-ssl.html Hope it helps, best regards, Matthias David Gillett wrote:
I'm replacing the hardware running FW-1 NG FP2 using SecurePlatform. I've got the software installed on the new hardware, but I've hit a snag duplicating part of the existing configuration. (Basic spec: Users should not notice any change when the switch is made.) We have one subnet whose users must authenticate against the firewall before they are allowed to connect out to the Internet. With the old hardware in place, they can use a shortcut to get to a login web page hosted on the firewall. With the new hardware in place, this never connects and eventually times out. Which isn't entirely surprising. At very least, I need to somehow recreate the user/password list on the new box. I don't know if I also need to do something to install/run a web server on the box, and/or make sure it will accept connections. I don't know how to do any of this. (Well, I have installed and configured Apache before, but I don't know if that's even necessary in this scenario....)
-- AERAsec Network Services and Security GmbH Wagenberger Strasse 1 D-85662 Hohenbrunn, Germany http://www.aerasec.de ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
