NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] HTTPS issue with NG FP3 user auth



Hey...this is the original resolution for NG platforms...!!!
This work fine.

Bye,

loop



*******************************************************************

Solution:
In order to enable browsing websites using HTTPS with User Authentication,
proceed with the following:

On the firewall module
======================

1. Issue cpstop

2. Make a complete backup of the $FWDIR/conf/fwauthd.conf file

3. Open the $FWDIR/conf/fwauthd.conf file with a text editor

4. Add the following entry to the fwauthd.conf file, using the same syntax
and spacing as the other entries in the file:

443 fwssd in.ahttpd wait 0

6. Save the $FWDIR/conf/fwauthd.conf file

7. Issue cpstart

On the management module
========================
1. Close all GUI clients

2. Issue the dbedit command

3. Hit the enter key when asked to enter the server name

4. Enter the firewall administrator name

5. Enter the firewall administrator password

6. Enter the following series of commands:

modify properties firewall_properties http_connection_method_proxy true
modify properties firewall_properties http_connection_method_transparent
true
modify properties firewall_properties http_connection_method_tunneling true
update properties firewall_properties
quit


7. Open the Policy Editor

8. Select Manage > Services

9. In the Services dialog box, select https from the services list

10. Click on Edit

11. In the TCP Service Properties dialog box, click on Advanced in the
General tab

12. In the Advanced TCP Service Properties dialog box, set the Protocol Type
drop down list to HTTP

13. Check the Enable TCP resource check box

14. Click on OK in the Advanced TCP Service Properties dialog box

15. Click on OK in the TCP Service Properties dialog box

16. Click on Close in the Services dialog box

17. Create the following User Authentication rule in the rulebase
(internal_net represents the internal network in the following sample rule):

SOURCE: All Users@internal_net
DESTINATION: Any
SERVICE: https
ACTION: User Auth
TRACK: Log
INSTALL ON: Policy Targets

18. Right click on the User Auth icon under the ACTION column and select
Edit properties

19. In the User Authentication Action Properties dialog box, select the All
servers radio button in the HTTP section of the General tab

20. Click on OK in the User Authentication Action Properties dialog box

21. Install the security policy

****************************************************************************
****************



-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:[email protected]]En nombre de Chris
Dias
Enviado el: lunes, 22 de septiembre de 2003 11:20
Para: [email protected]
Asunto: Re: [FW-1] HTTPS issue with NG FP3 user auth


Great response!! Let us all know if it works.

mcabrera <[email protected]> wrote:-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey...Vijay...!!!

You are having problems with https?
Ok, follow this resolution...
Bye.

loop

***********************************************

Follow the workaround below:

1. Stop the FireWall using the fwstop command.
2. Modify the file $FWDIR/conf/fwauthd.conf. Add the following at
the top of the file:

443 in.ahttpd wait 0

3. The entry should be similar to others that are already listed in
the file. (Be aware on NT: When you open this file with edit.com from
the command prompt, it will only recognize 8.3 file names. You can
verify that you are in the proper file because you will see several
lines similar to the one listed above).
4. Re-start the FireWall using the fwstart command.
5. Start the Policy Editor and go to Manage > Services, and edit the
HTTPS service.
6. Re-define the 'Protocol Type' as a URI.

For this example, we will create 'Test' as the user and use FW
Authentication.

7. Ensure that the authentication method used is enabled in the
FireWall object.
8. Place the users in a group.

For this example, we will use 'User_Auth_group' as the source of this
rule.

9. Ensure that there are no existing rules that allow HTTPS, and
create a new rule as follows:

User_Auth_Group@ / Any / HTTPS / User
Auth / Long

10. Edit the User Auth action of this rule and define 'All Servers'.
11. Install this policy.
12. Modify the Client's machine that is being Authorized for HTTPS:
13. Open the browser and edit the Proxy properties to reflect a
change for Security or HTTPS Proxy, and point it at the internal
FireWall interface, port 443.

At this point you should be able to enter an address such as
https://www.firemail.de (or equivalent) in the browser, and a User
Authentication box should pop up.

1. Enter Username the password.
2. Verify that the site loads.


**********************************************************************
****************************




- -----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:[email protected]]En nombre de Vijay
Enviado el: viernes, 19 de septiembre de 2003 20:44
Para: [email protected]
Asunto: Re: [FW-1] HTTPS issue with NG FP3 user auth


hi chris,
No i havent tried opening all the ports..since its the
user auth i have to change un the services as <443 am
I right ? I chnaged http parameters in objects_5_0.c
ervim user auth does wirk with FP3 but only for Http
sites :(...
Please let me know if u have any tested solution..
regards
Vijay
- --- Chris Dias wrote:
> Do you need to allow both ports 444 and 443 to pass
> through the fw?
> Do you need to allow ident port 113 - I don't
> believe secure applications use this port anymore -
> not sure.
> If you open the firewall wide open, what happens?
>
http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
>
> This one probably doesn't apply.
>
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbst
eps.asp
>
> Curious. What parameters did you change in userc.C?
>
> Elmar van Mourik wrote:
> As far as I know user auth is NOT working with https
> in FP 3.
> For that reason I want to upgrade to AI in the near
> future.
>
> Elmar van Mourik
>
> -----Oorspronkelijk bericht-----
> Van: Vijay [mailto:[email protected]]
> Verzonden: donderdag 18 september 2003 15:16
> Aan: [email protected]
> Onderwerp: [FW-1] HTTPS issue with NG FP3 user auth
>
>
> Dear Checkpoint Gurus!!
> I have written this issue before but did not get any
> answers so thought I shall try again...I am
> Installing
> Checkpoint NG FP3 On windows 2k box.
> I am having this rule.
> Internal@user https, http User Auth.<----Rule
> Number 1
> initially user auth was not working for http but
> after
> changing 3 http parameters in object_5_0.c user
> authentication started working for HTTp sites only.
> For https sites like hotmail or for that matter
> checkpoint secure knowledge i was not able to get
> any
> page in the browser. On the firewall I am getting
> the
> accept for https requests.
> Any one has any clue? Please please reply ....badly
> require solution for this.
> Regards
> Vj
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site
> design software
> http://sitebuilder.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>
> Door de electronische verzending van het bericht
> kunnen er geen rechten
> ontleend worden aan de informatie. Als u deze e-mail
> onterecht heeft
> ontvangen, waarschuwt u dan de afzender via
> [email protected] en verwijder
> de gegevens van de computer.
>
> Zuiveringsschap Hollandse Eilanden en Waarden,
> Dordrecht
> tel: +31 (0)78 6397100
> fax: +31 (0)78 6311871
> web: http://www.zhew.nl
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>
> Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP +
> I,MCSE, (Microsoft), CCNA, CCNP (Cisco). CSE
> (Novell)
> Cmm:1121 Budapest
> F|lemile zt 12-18 4.ip.3/11.
> Telefon: 36 1 275-4008 Mobil:06-20/803 9687
> [email protected]
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site
> design software
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBP276q6GuAczL51ytEQLKrQCgtI5uSSTd4RkdYMDrT9+i2+sqTOUAn2+J
hViKHJN0nU5KpynI0RnAXdxJ
=WekV
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP + I,MCSE, (Microsoft),
CCNA, CCNP (Cisco). CSE (Novell)
Cmm:1121 Budapest
F|lemile zt 12-18 4.ip.3/11.
Telefon: 36 1 275-4008 Mobil:06-20/803 9687
[email protected]


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.