On Wed, Jul 12, 2000 at 12:21:45AM +0200, Mikael Olsson wrote:
| Hmmm... A dim voice in the back of my head just said "SecurID".
| Hey, that could almost work -- having the luser read a string
| of digits from their token rather than having them remember
| another password isn't all that bad :-)
| Then there's just the matter of getting the proxy to talk to
| the SecurID server... If there is one.
Hmm. That's funny, I've written something like that.
Having the OWA server in a DMZ is a royal pain. Restricting the
RPC ports looks fine and dandy on paper but in practice, it has
bugs (as of NT4sp3, dunno about newer) that manifest themselves
as hung sessions, and limitations: AFAIR, If you're willing to
open n ports, you can have only n-1 clients connected. Extreme
suckiness ensues when considering the NT RPC protocol from a
firewall administrators point of view.
This code authenticates against a securid server and keeps a
state of authorized ip addresses that are just proxied through.
Each connection in the session pool has a last access timer for
implementing a session timeout and a maximum interconnection
delay timeout to minimize risk.
Of course the above can be layered on top of an NT trust model.
The proxy is at http://www.bastard.net/~kos/pace
Later,
Kos
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
