If I understand correctly:
Terminal Services is connected either with a client browser or the 32 bit
client connecting to namedaddress (translates to an IP address). This
namedaddress would be configured to resolve to a MIP (Mapped IP address) on
the Netscreen. From there, the Netscreen would then point to the internal
terminal services server. Create an outgoing policy in the Netscreen where
traffic coming from the TS server outbound to the net requires
authentication. The user ID & password are set and maintained in the
Netscreen or an external Radius server. I don't believe this would require
any special configuration in the TS browser but am not 100%.
"In plain text"
�Steve Clark
Clark Systems Support, LLC
AVIEN Charter Member
"Who's watching your network?"
www.clarksupport.com
301-610-9584 voice
240-465-0323 Efax
�
The data furnished in connection with this document is deemed by Clark
Systems Support, LLC., to contain proprietary and privileged information and
shall not be disclosed or used for the benefit of others without the prior
written permission of Clark Systems Support, LLC.
-----Original Message-----
From: Kuff, Hal [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 27, 2001 7:19 PM
To: 'Clark, Steve'; '[EMAIL PROTECTED]'
Subject: RE: Firewall authentication & W2K Terminal Server
�
�
��� This is indeed an old and anoying issue... we suffer as well... it's
almost impossible to identify what session on a TSE machine maps into a
session�on a PIX.. we're interested as well.
-----Original Message-----
From: Clark, Steve [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 27, 2001 7:13 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Firewall authentication & W2K Terminal Server
Andy,
I believe a Netscreen could do the job. You can set a named address to a MIP
in the firewall and then force authentication on the outgoing side.
�Steve Clark
Clark Systems Support, LLC
AVIEN Charter Member
"Who's watching your network?"
www.clarksupport.com
301-610-9584 voice
240-465-0323 Efax
�
The data furnished in connection with this document is deemed by Clark
Systems Support, LLC., to contain proprietary and privileged information and
shall not be disclosed or used for the benefit of others without the prior
written permission of Clark Systems Support, LLC.
-----Original Message-----
From: Andy Jonkers [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 27, 2001 5:39 PM
To: [EMAIL PROTECTED]
Subject: Firewall authentication & W2K Terminal Server
Hey,
�
I'm looking for a firewall, which can give me a solution for the problem
I'll be describing.
�
I've got a Windows 2000 Terminal Server, and the Terminal Server clients can
browse the Internet using their session. However, they need to be
authenticated by a firewall appliance before they are allowed, and their
activity needs be logged on a user basis.
�
The firewall I'm using�testing for the moment�-WatchGuard Firebox II- cannot
do what I want. Once a Terminal Server user authenticates successfully, all
other are allowed. This is because my WatchGuard dynamically changes the
ACLs, because of the successfull authentication, and allows Internet access
originated from the Terminal Server Source IP. Additionally, it cannot log
on a user basis, as far as my WatchGuard is concerned it comes from the
Terminal Server.
I've also tested the Nortel Contivity Instant Internet Gateway, and they
have the same problem as above.
During�my CheckPoint�Firewall-1 training, I've asked the same question. The
Certified Instructor told me it wasn't possible on CP FW-1, for the same
reasons as described above. However, I didn't have the opportunity to test
it so far.
�
Does anyone know a firewall which can perform what I want? And if yes, can
he or she describe how it is done? Any help is welcome, and I thank you for
the answer(s) to my question.
�
Regards,
Andy JONKERS
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
