[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] SSL / ACE
I am running a Nokia 330, 4.1sp2. I have a client (browser) in front of the FW, 2 SSL web servers behind the firewall, and an ACE server (SecurID) server off of a 3rd leg on the FW. The requirement is to simply have the browsers on the front be able to access the different SSL web servers behind, but authenticating against the ACE server using SecureID first before being allowed access to any of the webservers. Also there is a requirement to have the initial connection encrypted so the SecureID username and pw isn't sent in the clear being that these clients will be eventually on the Internet. How can I set this up? Alot of documents I see seem to lean toward the fact of using the HTTP security server, setting up "nicknames" for the SSL servers behind the firewall, and connecting to the front of the firewall in the URL instead of the real IP's of the webservers behind. This will allow the SSL connection to happen from client to front of firewall and have the FW proxy the connection to the webserver, something like this: https://front.of.firewall.address/nickname_of_ssl_server. Unfortunately this doesnt seem to work no matter what I do. There is also the question of how do I deal with the SSL certificates since they would need to be installed ON the firewall. I don't want browsers to give the users popup messages saying the certificate doesn't match the hostname of the web server they are trying to hit. This would be a concern being that you would always be hitting the front of the firewall no matter what web server you were trying to access. I've been battling this for a week or so now and am running out of time to get a working configuration up to management, you know how that goes :-). Any help would be appreciated. Thanks! ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|