[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] HTTP(S) authentication to firewall



Hi,
authentication using a Web page is possible when you have used Client
Authentication. The user connects to the Firewall, authenticates, and
then his IP address is able to use the services accepted by a rule like

users@InternalNet   Internet  anyService   ClientAuth ...

For the authentication is a direct connection to the Firewall necessary,
so you will have to accept this before your Stealth rule - or, you put
the rule for authentication before this rule.
The connection is (using default ports) to port 900/tcp. But you can
change this by editing $FWDIR/conf/fwauthd.conf to any other port you
want. Just find the line

900     fwssd       in.ahclientd    wait    900

and customize the port. Connecting the configured port with http will
not require a separate Web server, but has to be accepted by the
Firewall. The pages can be customized by editing the HTML-files at
$FWDIR/conf/ahclientd. Be careful not to "destroy" the forms.
It's necessary to define the users in the user manager. First, define a
template and then each user. They can also be imported, if you have
exported them before (fwm dbexport / fwm dbimport).
If you want to use HTTPS/SSL for authentication, please have a look at
http://www.fw-1.de/aerasec/ng/client-auth-ssl.html
Hope it helps,
best regards,
Matthias



David Gillett wrote:
>   I'm replacing the hardware running FW-1 NG FP2 using
> SecurePlatform.  I've got the software installed on the
> new hardware, but I've hit a snag duplicating part of
> the existing configuration.  (Basic spec:  Users should
> not notice any change when the switch is made.)
>
>   We have one subnet whose users must authenticate against
> the firewall before they are allowed to connect out to the
> Internet.  With the old hardware in place, they can use a
> shortcut to get to a login web page hosted on the firewall.
> With the new hardware in place, this never connects and
> eventually times out.
>
>   Which isn't entirely surprising.  At very least, I need
> to somehow recreate the user/password list on the new box.
> I don't know if I also need to do something to install/run
> a web server on the box, and/or make sure it will accept
> connections.
>   I don't know how to do any of this.  (Well, I have installed
> and configured Apache before, but I don't know if that's even
> necessary in this scenario....)


--
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================