|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] http domain filter
I would love to do that, but the domain objects won't take in a rule when using User Auth! You have to put the domain objects in that particular user's permissions. Then I still get the same problem, users are being prompted when they come across a resource they don't have access to. This is very frustrating! Cheers, Jamie -----Original Message----- From: CryptoTech [mailto:[email protected]] Sent: Tuesday, November 21, 2000 8:53 PM To: MIS Security Alerts Cc: [email protected] Subject: Re: [FW1] http domain filter I would just set up domain objects and use them in the destination field. This way they are evaluated upon use (then cached per the DNS valid interval.) This should work quite well. The resource idea is not bad, but tends to work better if you just used ip addrs. so just create domain objects like yahoo.com, <sitename.com>, and so on. HTH, CryptoTech [email protected] wrote: > I am trying to set up simple access rules for 4 different groups. These > groups have a variety of different access to sites like av.com, yahoo.com, > etc. I am toying with a few ideas and I want to bounce it off a few people. > My desired result is to use something like domain objects so that I don't > have to manually input any changes when yahoo gets a new server. I have > gotten it to work using URI resources and it works great, BUT (and you knew > there was a but) when someone access a site they don't have permissions to, > it just comes up with user/pass prompts until it finally moves to an Error > 407 - not "Access Denied." Here is what I have found the reason to be: the > rule setup to allow users to these sites is below > > Group1@internal any http->www.yahoo.com User Auth Account > > It looks as though because the destination is any I will never see that > access denied error. A solution was to use the domain objects in the dest > field, only they are not allowed when using User Auth. Now this may appear > to be cosmetic only and not bother fixing, but when I user accesses > yahoo.com, several gif's on that page are called from other URL's. So, in > order to load the page the users will get frustrated after trying their > user/pass so many times. It will eventually load without those gif's. If I > specify the IP of yahoo.com as the dest, the page loads no problem and just > ignores the gif's (no prompts because access is denied). > > Anyone know the secret or have a few moments to spare and test my theories? > > Cheers, > > Jamie Doherty > > The information transmitted by the following E-Mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use, or taking any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately atext. 3600 and delete the communication from any computer or network system. > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== The information transmitted by the following E-Mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use, or taking any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately atext. 3600 and delete the communication from any computer or network system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
