[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] HTTPS issue with NG FP3 user auth
Ok i got the point sir , Thanks a lot ....I did everything correctly except for the proxy settings in the browser for secure sites..I got i cant believe it i can misss this ..any ways thanks a lot mcabrera ..and please let me know in future u require any kind of help..i will try my level best to help u ...this is my email ID [email protected] thanks a lot --- mcabrera <[email protected]> wrote: > The FW-1 acts like a Proxy, this is obvious...in > each host you should > configure the browser in a 443 port. > But, Which is your doubt exactly? > > loop > > > > > -----Mensaje original----- > De: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]En > nombre de Vijay > Enviado el: lunes, 22 de septiembre de 2003 11:40 > Para: [email protected] > Asunto: Re: [FW-1] HTTPS issue with NG FP3 user auth > > > Hey > thanks alot, for ur detailed procedure, > I have tried all of them. > Only diffrence i see in ur solution is that firewall > is running HTTPS server on 443.(I supposed this sine > u > r telling me to change the proxy settings of the > clients to the Internal Ip of FW and port 443.Bur my > dear frd how many times user will keep on changing > the > port number ..i mean its not feasable..there has to > be > some way by which firewall accepts all the > connection > on port 80 and then do the PAT for internal user and > initiate another connection to "https" sites on > 443.I > am just trying to understand if this is the case.. > thanks a lot..I have marked done or not done in your > solution below and still HTTPS is not working... > Though I see accept on firewall... > > Regards > Vijay > --- mcabrera <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hey...Vijay...!!! > > > > You are having problems with https? > > Ok, follow this resolution... > > Bye. > > > > loop > > > > *********************************************** > > > > Follow the workaround below: > > > > 1. Stop the FireWall using the fwstop command. > > 2. Modify the file $FWDIR/conf/fwauthd.conf. Add > > the following at > > the top of the file: > > > > 443 in.ahttpd wait 0 > > > > 3. The entry should be similar to others that are > > already listed in > > the file. (Be aware on NT: When you open this file > > with edit.com from > > the command prompt, it will only recognize 8.3 > file > > names. You can > > verify that you are in the proper file because you > > will see several > > lines similar to the one listed above). > > 4. Re-start the FireWall using the fwstart > command. > > 5. Start the Policy Editor and go to Manage > > > Services, and edit the > > HTTPS service. > > 6. Re-define the 'Protocol Type' as a URI. > > > > For this example, we will create 'Test' as the > user > > and use FW > > Authentication. > > > > 7. Ensure that the authentication method used is > > enabled in the > > FireWall object. > > 8. Place the users in a group. > > > > For this example, we will use 'User_Auth_group' as > > the source of this > > rule. > > > > 9. Ensure that there are no existing rules that > > allow HTTPS, and > > create a new rule as follows: > > > > User_Auth_Group@<any> / Any / > HTTPS > > / User > > Auth / Long > > > > 10. Edit the User Auth action of this rule and > > define 'All Servers'. > > 11. Install this policy. > > 12. Modify the Client's machine that is being > > Authorized for HTTPS: > > 13. Open the browser and edit the Proxy > properties > > to reflect a > > change for Security or HTTPS Proxy, and point it > at > > the internal > > FireWall interface, port 443. > > > > At this point you should be able to enter an > address > > such as > > https://www.firemail.de (or equivalent) in the > > browser, and a User > > Authentication box should pop up. > > > > 1. Enter Username the password. > > 2. Verify that the site loads. > > > > > > > ********************************************************************** > > **************************** > > > > > > > > > > - -----Mensaje original----- > > De: Mailing list for discussion of Firewall-1 > > > [mailto:[email protected]]En > > nombre de Vijay > > Enviado el: viernes, 19 de septiembre de 2003 > 20:44 > > Para: [email protected] > > Asunto: Re: [FW-1] HTTPS issue with NG FP3 user > auth > > > > > > hi chris, > > No i havent tried opening all the ports..since its > > the > > user auth i have to change un the services as <443 > > am > > I right ? I chnaged http parameters in > objects_5_0.c > > ervim user auth does wirk with FP3 but only for > Http > > sites :(... > > Please let me know if u have any tested solution.. > > regards > > Vijay > > - --- Chris Dias <[email protected]> wrote: > > > Do you need to allow both ports 444 and 443 to > > pass > > > through the fw? > > > Do you need to allow ident port 113 - I don't > > > believe secure applications use this port > anymore > > - > > > not sure. > > > If you open the firewall wide open, what > happens? > > > > > > http://www.iss.net/security_center/advice/Exploits/Ports/default.htm > > > > > > This one probably doesn't apply. > > > > > > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbst > > eps.asp > > > > > > Curious. What parameters did you change in > > userc.C? > > > > > > Elmar van Mourik <[email protected]> wrote: > > > As far as I know user auth is NOT working with > > https > > > in FP 3. > > > For that reason I want to upgrade to AI in the > > near > > > future. > > > > > > Elmar van Mourik > > > > > > -----Oorspronkelijk bericht----- > > > Van: Vijay [mailto:[email protected]] > > > Verzonden: donderdag 18 september 2003 15:16 > > > Aan: [email protected] > > > Onderwerp: [FW-1] HTTPS issue with NG FP3 user > === message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|