Here is what I had to do... The following changes appeared to have fixed problems I was having with FP2:
1) Use dbedit to modify the following parameters: :http_connection_method_transparent (true) :http_connection_method_proxy (true) :http_connection_method_tunneling (true) :http_max_header_length (8492) :http_max_url_length (8492) :http_allow_ranges (true) :http_cvp_allow_chunked (true) :http_allow_double_slash (true) :http_check_request_validity (false) :http_check_response_validity (false) :http_allow_content_disposition (true) :http_enable_uri_queries (false) :http_disable_content_type (true) :http_disable_content_enc (true) 2) cpstop 3) Edit /conf/fwauthd.conf on the management module and add 443 fwssd in.ahttpd wait 0 4) cpstart 5) Edit the HTTPS service in the GUI and under the advanced button make the service HTTP. I also made mine available for TCP resources which is another check box on the same advanced tab. 6) Make one rule for HTTPS traffic localusers@localnet -> any -> HTTPS -> user auth (set to all servers) 7) Make one rule for other authed traffic such as HTTP and FTP localusers@localnet -> any -> Authenticated Group -> user auth (set to all servers) 8) Set the browser proxy to be the internal interface of the FW-1 gateway port 80 for all services -Steve S. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED]] On Behalf Of Serwatko Pawel Sent: Thursday, January 30, 2003 8:07 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] user authentication with HTTPS Hello I'am using FW-1 NG FP3 with the latest hotfixes. I have a problem with http through proxy on 443 port. I made changes in fwauthd.conf (added line "443 fwssd in.ahttpd wait 0") and bounce firewall. Next I changed a servis hhtps -> advanced -> Protocol type: HTTP, and resource: with proxy and tunneling enable and in field match there is "*:443". So I made a rule like this: users@netslocal -> any -> hhtps->https_resource -> Client Auth -> log -> any_time There is no problem with https via proxy but https doesn't want to work. I tried to move this rules as the first in policy editor. Then I tried to change authentication on User Auth and still the same. In Knowledge base on CheckPoint site I found description what to do to make https through proxy. I used GUIDBedit to change lines: http_connection_method_proxy true - default is false http_connection_method_transparent true http_connection_method_tunneling true - default is false In Global properties -> firewall properties This operation also didn't do anything positive. Can You help me what to do to make it work? Thanks a lot for any help Pawel Serwatko Firewall administrator mailto:[EMAIL PROTECTED] -----Original Message----- From: Mauricio Munoz [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 12:11 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] user authentication with HTTPS Hello, When you use user auth, you are arising security servers, so, if you want to use user auth with https, you have to add a line within fwauthd.conf. To add that line, copy the line for port 80, and change the port number to 443 (ssl). Before changing the file, make a backup, and after the changes were made, bounce the firewall service. ==================================== Mauricio F. Mu�oz Quevedo Security Consultant ============================================== |---------+----------------------------------------------> | | "Gil, Ruben" <[EMAIL PROTECTED]> | | | Sent by: Mailing list for | | | discussion of Firewall-1 | | | <[EMAIL PROTECTED]| | | kpoint.com> | | | | | | | | | 29/01/2003 02:47 p.m. | | | Please respond to Mailing list for | | | discussion of Firewall-1 | | | | |---------+----------------------------------------------> >--------------------------------------------------------------------------- -------------------| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [FW-1] user authentication with HTTPS | >--------------------------------------------------------------------------- -------------------| Hello, I�d like to know how to configure user authentication with HTTPS (without logical server, if it was posible). The firewall version is NG FP2. Thanks, ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
