Re: [FW1] HTTP authentication through the Firewall

Wed, 08 Nov 2000 12:39:52 -0800 


Dee,
I believe if you inspect your rulebase, you may find something like internal any any
accept after the user authentication rule.
I had this same scenario in a lab environment and the problem as I found it is as
follows:

Rule X -                 allusers@internal      intranet_net     http      user_auth

rule x+anything        internal                   any                  any
accept

Reason:  If the user from the internal net were to fail the authentication (as he
will do the first time because the firewall does not know who the user is,)  the
user would pass on the subsequent rule.  This usually precipitates an entry in the
log: reason No authentication required.  (I believe this message only shows on
telnet.)  HTTP accepts will pass on the subsequent rule.

You may also want to check the user auth properties to validate that this is for all
server, and not predefined only.

A further analysis will require a generalization of your rulebase as pertains to the
http service...

HTH,
CryptoTech

"Veasey, Dee" wrote:

> We have two separate networks (secure and non-secure). Client workstations
> can switch between the two networks (access controlled via Checkpoint FW-1).
> Intranet resources (servers) are accessible from both environments, when a
> client tries to access a HTTP intranet web server site (that requires a
> domain userid/password), from the non-secure side, everything works fine.
> When the same client tries to access the same site from the secure side, the
> password dialog box never appears, therefore authentication does not take
> place and access is not granted. Has anyone experienced this problem?
> Clients are using Internet Explorer 5.1 from both sides and their are no
> drops or errors detected in the FW-1 logs. We are running Checkpoint
> Firewall-1 on a Solaris 2.6 system. Any help is appreciated. Thanks, Dee
> Veasey, unitedspacealliance
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to