[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Firewall-1 4.0 and Implicit Authentication

To: jake.rog@ttcmail.com
Subject: Re: [FW1] Firewall-1 4.0 and Implicit Authentication
From: Bill Husler <BHusler@PacBell.net>
Date: Wed, 28 Apr 1999 21:29:50 -0700
Cc: FW1 Mailing List <fw-1-mailinglist@lists.us.checkpoint.com>


Since it's not working anyway, please try removing the duplicate
"automatically_open_ca_rules" line from the objects file (only one
can be in effect and we want it to be true) and change the http line
in fwauthd.conf to read:

80              in.ahttpd       wait    80

It's a stab in the dark, but that's what I do best.
Bill

Jake Rog wrote:
> 
> Thank you so much for all your help so far, but I am still nowhere!!!
> Anyway I implement it using the UserAuth or the SessionAuth it still asks me
> for UserName/Password every single time!!!
>  One step back!
> 
> 1.  I followed the article "Implicit Client Auth (Session Auth for HTTP is
> Slow)" step by step and have performed the following:
> 
>    a.)  Added the line:   ":automatically_open_ca_rules (true)" to OBJECTS.C
> right after the ":props" line. (However, there is another line right down in
> the middle of :props section that says ":automatically_open_ca_rules
> (false). So am I supposed to remove that line or leave it in tact???  Well I
> have tried both!)
> 
>    b.) Stopped/Started the FW1 Service!
> 
>    c.)  Added two rules to the security policy:
>      AllUsers@InternalNet     Any     HTTP/FTP/TELNET     ClientAuth
>      AllUsers@InternalNet     Any     HTTP/FTP/TELNET     UserAuth (or
> SessionAuth)
>      (Apparently there are some confusion from different people, in which
> order you should place both lines!?  I have tried both orders!)
> 
>    d.)  ClientAuth Properties:
>      GENERAL: Standard/Manual/Log
>      LIMITS:  Indefinite/Infinite
> 
>    e.)  Policy Authentication Properties:
>      UserAuth: 800 Minutes
>      ClientAuth(Enable Wait Mode): Not Checked
>      Track: Alert
> 
> What else can I check for to make sure that the rest of the configuration is
> working properly.  Does anything else depends of the ImplicitAuth to work,
> like Security Servers?  How can I check whether they are setup correctly!
> 
> Here is my Security Servers Config:
>    21     in.aftpd          wait  0
>    80     in.ahttpd         wait  0
>    513    in.arlogind       wait  0
>    25     in.asmtpd         wait  0
>    23     in.telnetd        wait  0
>    259    in.aclientd       wait  259
>    10081  in.lhttpd         wait  0
>    900    in.ahclientd      wait  900
>    0      in.pingd          respawn 0
> 
> Does that look correct?  I guess I will need some security servers if I use
> UserAuth and will not need the if I use the SessionAuth.  I would much
> rather use the UserAuth with the single logon and be able to use the
> Resources with Services.
> 
> Once again, Thank You.  Patiently waiting . . . .
> 
> > -----Original Message-----
> > From: Dameon D. Welch [mailto:dwelch@hotmail.com]
> > Sent: Tuesday, April 27, 1999 8:31 PM
> > To: jake.rog@ttcmail.com; FW1 Mailing List
> > Subject: Re: [FW1] Firewall-1 4.0 and Implicit Authentication
> >
> >
> >
> > I have a feeling it's because your client auth properties are not set
> > correctly. Check to see that the timeout is set adequately and that the
> > number of connections allowed is "infinite" (or a really high number).
> >
> > -- PhoneBoy
> >
> > > Thank you. I have tried to reverse the order:
> > >
> > > All@any     any     http     ClientAuth   Long     GW
> > > All@any     any     http     UserAuth     Long     GW
> > >
> > > No luck, the client is still being asked to authenticate on
> > every request,
> > > just like the ClientAuth Rule is NOT working?  I have also tried the
> > > ImplicitAuth with SessionAuth with the same result. Back in the same
> > court.
> > > What else I can check for?
> >
> >
> > ==================================================================
> > ==============
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > ==================================================================
> > ==============
> >
> 
>   --------------------------------------------------------------------
>                   Name: winmail.dat
>    winmail.dat    Type: application/ms-tnef
>               Encoding: base64



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Microsoft Routing and Remote Access Service
Next by Date: RE: [FW1] URI filtering
Prev by thread: RE: [FW1] Firewall-1 4.0 and Implicit Authentication
Next by thread: [FW1] FW1 v4.0
Index(es):
- Date
- Thread