Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SSL / ACE

To: "'[email protected]'" <[email protected]>
Subject: [FW1] SSL / ACE
From: "Sabino, Justin" <[email protected]>
Date: Fri, 16 Feb 2001 09:40:18 -0500
Sender: [email protected]

I am running a Nokia 330, 4.1sp2.  I have a client (browser) in front of the
FW, 2 SSL web servers behind the firewall, and an ACE server (SecurID)
server off of a 3rd leg on the FW.  The requirement is to simply have the
browsers on the front be able to access the different SSL web servers
behind, but authenticating against the ACE server using SecureID first
before being allowed access to any of the webservers.  Also there is a
requirement to have the initial connection encrypted so the SecureID
username and pw isn't sent in the clear being that these clients will be
eventually on the Internet.  How can I set this up?  Alot of documents I see
seem to lean toward the fact of using the HTTP security server, setting up
"nicknames" for the SSL servers behind the firewall, and connecting to the
front of the firewall in the URL instead of the real IP's of the webservers
behind.  This will allow the SSL connection to happen from client to front
of firewall and have the FW proxy the connection to the webserver, something
like this: https://front.of.firewall.address/nickname_of_ssl_server.
Unfortunately this doesnt seem to work no matter what I do.  There is also
the question of how do I deal with the SSL certificates since they would
need to be installed ON the firewall.  I don't want browsers to give the
users popup messages saying the certificate doesn't match the hostname of
the web server they are trying to hit.  This would be a concern being that
you would always be hitting the front of the firewall no matter what web
server you were trying to access.  I've been battling this for a week or so
now and am running out of time to get a working configuration up to
management, you know how that goes :-).  Any help would be appreciated.
Thanks!



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] NAT POOLS
Next by Date: [FW1] CCSA and VPN or command utilities
Previous by thread: [FW1] NAT POOLS
Next by thread: [FW1] CCSA and VPN or command utilities
Index(es):
- Date
- Thread