Piero,
Okay, there's two possible issues that I see here:
1) IMHO, Session Auth has never worked very well over slowish connections
(56k leased line, modems, etc.) It works great at LAN speeds, but I've
never seen it prove to be reliable over the slower connections. Talked
about it with CKP support numerous times, and had them pretty uch tell me
not to use it :-(
2) If you've got a reason (NAT) why Client Auth doesn't work, how is
Session Auth going to work? Session Auth works something like this:
-User sends a POP3 request to a host in your DMZ (protected by the firewall)
-The firewall matches a "session auth" type rule for this, and then sends
out a packet to the source(client) IP address stating that a session
authentication username\passwd window should "pop-up". (Obviously this
requires the client has installed the session authentication agent software
on their PC - and that that agent is running)
-The user then types in his/her username and passwd, and sends it back to
the firewall
-The firewall authenticates the traffic, puts it in the state table, and
the traffic is then allowed to pass
So, if you're not doing a static NAT on your outside firewall interface,
how can any firewall terminating authentication scheme work? Just a
thought....
Jason
http://www.wittys.com
At 10:25 AM 6/5/00 +0200, [EMAIL PROTECTED] wrote:
>
>
>
>Anyone so kind to drop me a reply on session authentication? Essentially I
need
>to know whether session auth works.
>Hereafter details on the problem I have.
>
>I've set session authentication for some users needing to access mail (pop3)
>from internet and do not get authentication prompt.
>I cannot use client auth (fw is in a private addressing range). I have gone
>through docs and mail at phoneboy's and checkpoint with no success.
>I've tried with both intersect user db and without.
>The error I get on the management is "reason Connection to Session Agent
>failed".
>Actually, after the first few attempts from the internet, I tried access
>directly from an attached network on external interface and still got the
same
>error.
>I have also lined up session agent version (3.1b) on both machine. Funny
enough
>it worked if session auth is enabled on my FW, and I could get auth promt at
>every attempt (but on the management). Obviously I don't think this is how it
>should work.
>Thanks in advance for your suggestions.
>Piero
>
>
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
