User Authentication grants access on a per user basis. This method can be used only
for �authenticated services� - TELNET, RLOGIN, FTP and HTTP and requires a separate
authentication for each connection. It is secure, because the authentication is valid
only for one
connection, but intrusive, because each connection requires another authentication.
Firewall-1 was not developed to be a proxy server, but because of the security server
concept, the functionality had to be included. The only way I can think of to maintain
So I don't know of a way (other than spawning multiple instances of security servers)
to improve performance, but the auth issue can be fixed by using
group@source any http clientauth (configured for partially automatic sign
on, and session timeouts specified on the limits page...)
Good Luck...
CryptoTech
"Matt M. Miller" wrote:
> Hello,
>
> Just installed squid proxy cache and I'm trying to get it working with our
>Checkpoint Firewall. The plan is for users to hit the internal interface of the
>proxy server and then the external interface of the proxy will connect to the
>firewall and request the page.
>
> We want the firewall to do the authentication because this is where the user
>database resides.
>
> Everything works except, when browsing, the user is prompted for a password for each
>object instead of just one time at the beginning of the session. This is obviously
>no good.
>
> I can set the cients to use the internal IP of the Firewall as their proxy, and then
>set the firewall to re-direct to squid.. But this seems inefficient and the clients
>browser will sometimes create a lot of redirect notifications. Performance also
>seems slower this way.
>
> Is there a way to have clients authenticate one time to the firewall and then have
>the proxy maintain the connection thereafter?
>
> If not, is there some way to convert a firewall user database to squid format?
>
> Thanks for the help!
>
> Matthew Miller
> Sr. WAN Engineer
> Provident Bank of Maryland
> (410) 277-7921
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
