Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] http domain filter

To: [email protected]
Subject: Re: [FW1] http domain filter
From: CryptoTech <[email protected]>
Date: Sun, 26 Nov 2000 15:09:08 -0500
Cc: [email protected]
References: <2B24AF280CCCD211A60300A0C9F2C99C1AE2D7@mandalore.capitalfactors.com>
Sender: [email protected]

With user auth, they will be challenged each time, have you tried partially automatic client auth?

[email protected] wrote:

> I would love to do that, but the domain objects won't take in a rule when
> using User Auth!  You have to put the domain objects in that particular
> user's permissions.  Then I still get the same problem, users are being
> prompted when they come across a resource they don't have access to.  This
> is very frustrating!
>
> Cheers,
>
> Jamie
>
> -----Original Message-----
> From: CryptoTech [mailto:[email protected]]
> Sent: Tuesday, November 21, 2000 8:53 PM
> To: MIS Security Alerts
> Cc: [email protected]
> Subject: Re: [FW1] http domain filter
>
> I would just set up domain objects and use them in the destination field.
> This way they are evaluated upon use (then cached per the DNS valid
> interval.)  This should work quite well.
>
> The resource idea is not bad, but tends to work better if you just used ip
> addrs.
>
> so just create domain objects like   yahoo.com, <sitename.com>, and so on.
>
> HTH,
> CryptoTech
>
> [email protected] wrote:
>
> > I am trying to set up simple access rules for 4 different groups.  These
> > groups have a variety of different access to sites like av.com, yahoo.com,
> > etc.  I am toying with a few ideas and I want to bounce it off a few
> people.
> > My desired result is to use something like domain objects so that I don't
> > have to manually input any changes when yahoo gets a new server.  I have
> > gotten it to work using URI resources and it works great, BUT (and you
> knew
> > there was a but) when someone access a site they don't have permissions
> to,
> > it just comes up with user/pass prompts until it finally moves to an Error
> > 407 - not "Access Denied."  Here is what I have found the reason to be:
> the
> > rule setup to allow users to these sites is below
> >
> > Group1@internal any     http->www.yahoo.com     User Auth       Account
> >
> > It looks as though because the destination is any I will never see that
> > access denied error.  A solution was to use the domain objects in the dest
> > field, only they are not allowed when using User Auth.  Now this may
> appear
> > to be cosmetic only and not bother fixing, but when I user accesses
> > yahoo.com, several gif's on that page are called from other URL's.  So, in
> > order to load the page the users will get frustrated after trying their
> > user/pass so many times.  It will eventually load without those gif's.  If
> I
> > specify the IP of yahoo.com as the dest, the page loads no problem and
> just
> > ignores the gif's (no prompts because access is denied).
> >
> > Anyone know the secret or have a few moments to spare and test my
> theories?
> >
> > Cheers,
> >
> > Jamie Doherty
> >
> > The information transmitted by the following E-Mail is intended only for
> the addressee and may contain confidential and/or privileged material. Any
> interception, review, retransmission, dissemination, or other use, or taking
> any action upon this information by persons or entities other than the
> intended recipient is prohibited by law and may subject them to criminal or
> civil liability. If you received this communication in error, please contact
> us immediately atext. 3600 and delete the communication from
> any computer or network system.
> >
> >
> ============================================================================
> ====
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> The information transmitted by the following E-Mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use, or taking any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately atext. 3600 and delete the communication from any computer or network system.
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] http domain filter
  - From: [email protected]

Prev by Date: [FW1] Capacity and Throughput of NAT with FW-1
Next by Date: Re: [FW1] IPSEC
Previous by thread: RE: [FW1] http domain filter
Next by thread: [FW1] FW with subnetted network
Index(es):
- Date
- Thread