RE: Firewall authentication & W2K Terminal Server

[Kuff, Hal]

Title: Message

This is indeed an old and anoying issue... we suffer as well... it's almost impossible to identify what session on a TSE machine maps into a session on a PIX.. we're interested as well. -----Original Message----- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 27, 2001 7:13 PM To: '[EMAIL PROTECTED]' Subject: RE: Firewall authentication & W2K Terminal Server Andy,   I believe a Netscreen could do the job. You can set a named address to a MIP in the firewall and then force authentication on the outgoing side.    Steve Clark Clark Systems Support, LLC AVIEN Charter Member "Who's watching your network?" www.clarksupport.com           301-610-9584 voice           240-465-0323 Efax   The data furnished in connection with this document is deemed by Clark Systems Support, LLC., to contain proprietary and privileged information and shall not be disclosed or used for the benefit of others without the prior written permission of Clark Systems Support, LLC.   -----Original Message----- From: Andy Jonkers [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 27, 2001 5:39 PM To: [EMAIL PROTECTED] Subject: Firewall authentication & W2K Terminal Server   Hey,   I'm looking for a firewall, which can give me a solution for the problem I'll be describing.   I've got a Windows 2000 Terminal Server, and the Terminal Server clients can browse the Internet using their session. However, they need to be authenticated by a firewall appliance before they are allowed, and their activity needs be logged on a user basis.   The firewall I'm using testing for the moment -WatchGuard Firebox II- cannot do what I want. Once a Terminal Server user authenticates successfully, all other are allowed. This is because my WatchGuard dynamically changes the ACLs, because of the successfull authentication, and allows Internet access originated from the Terminal Server Source IP. Additionally, it cannot log on a user basis, as far as my WatchGuard is concerned it comes from the Terminal Server. I've also tested the Nortel Contivity Instant Internet Gateway, and they have the same problem as above. During my CheckPoint Firewall-1 training, I've asked the same question. The Certified Instructor told me it wasn't possible on CP FW-1, for the same reasons as described above. However, I didn't have the opportunity to test it so far.   Does anyone know a firewall which can perform what I want? And if yes, can he or she describe how it is done? Any help is welcome, and I thank you for the answer(s) to my question.   Regards, Andy JONKERS