Firewall Wizards mailing list archives
Re: Logging into FW-1 with SSL?
From: Oscar Wahlberg <oscar.wahlberg () connecta se>
Date: Fri, 10 Sep 1999 13:09:08 +0200
Hi Scott, FW-1 cannot authenticate SSL sessions from client to webserver since it's unable to read the encryption tunnel. Thats just the way it is. But there are ways around it, two that I know of. 1. Implicit client authentication for HTTPS. Let the user connect to the IIS server via HTTP, just retreiving the index page which in turn does a redirect to the HTTPS equiv. During this HTTP session, FW-1 can intercept the request and authenticate the session through all its methods for user- authentication. This user-auth rule should the implicitly authenticate the client to allow a HTTPS session against the IIS server. This works, but has one major implication! It won't work properly if the client is behind a NAT'ed firewall this the first request would authenticate all clients behind that fw. I would suggest going for the second alternative. I've recently heard that FW-1 /w SP4 correctly handles all browsers when doing SSL negotiations, earlier releases didn't handle Iexplorer. This means that you can let the firewall authenticate the SSL-session. In other words, create a certificate on the firewall and let the client create a SSL-session to the firewall that then authenticates the user and if the user is allowed through, connect to the webserver. Both these senarios are described in the AA-sections of the FW-1 manuals. Albeit not very well, but better than the above ;) I hope my ramblings made some sense, if not, ask again... Cheers, Oscar -- Oscar Wahlberg <oscar.wahlberg () connecta se> Connecta Infracom Säkerhet & Kommunikation phone: +46-(0)708-44 55 63 fax: +46-(0)708-44 55 74
Current thread:
- Logging into FW-1 with SSL? Briercheck, Scott (Sep 08)
- Re: Logging into FW-1 with SSL? Oscar Wahlberg (Sep 10)
- <Possible follow-ups>
- Re: Logging into FW-1 with SSL? czarcone (Sep 10)