lol lol lol lol lol big lol...
piranha ----- Original Message ----- From: "John Steniger" <[EMAIL PROTECTED]> To: "'Andy Jonkers'" <[EMAIL PROTECTED]>; "Eric Samburn" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, November 28, 2001 5:32 AM Subject: RE: Firewall authentication & W2K Terminal Server > Is there any reason you are looking for a firewall and not a proxy solution? > We have almost the same setup (NT 4.0 Terminal server). We use MS Proxy > Server to authenticate to the web and log usage by user, and a > packet-filtering firewall for outbound and inbound packet filtering. I > think a proxy solution would better fix your problem in this case (but don't > disregard the firewall for inbound/outbound filtering!). We have experience > with the Microsoft solution, and it does the trick. > > John J. Steniger > > > > -----Original Message----- > > From: Andy Jonkers [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 28, 2001 1:53 AM > > To: Eric Samburn; [EMAIL PROTECTED] > > Subject: Re: Firewall authentication & W2K Terminal Server > > > > > > Hey, > > > > What you have written explains exactly what I'm experiencing, > > and what you > > are suggesting is what I need. But is it possible to give me > > a product that > > can do what I want. > > Some people speak of a PIX, but as far as I'm aware of my > > problem, they will > > experience the same kind of problems. This is because, as you have > > suggested, each Browser Session on a Terminal Server is a session on > > itself, and all data leaving the TS seems to be from only one > > user instead > > of different users. > > Already thanks for your answers. > > > > Andy > > ----- Original Message ----- > > From: "Eric Samburn" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, November 28, 2001 2:37 AM > > Subject: RE: Firewall authentication & W2K Terminal Server > > > > > > > I don't want to get into application proxy / packet > > filtering debate, > > > but think about it. > > > > > > The TS is on the internal network behind the firewall. > > > Staff are logged into the TS and startup their instance of browser. > > > > > > >From the firewall's perspective, the traffic is TCP. The > > data packets > > will > > > only provides src addr, src port, dest addr, dest port. Since all > > > connections are from the same TS, there is no way a packet filtering > > > firewall can distinguish which connection belong to which user. > > > What you need is a http proxy. Some firewall provides a > > http proxy that > > > support proxy "Basic Authentication" (the one specified in the http > > > standard). > > > > > > That way you can control and log all web surfing usage. > > > > > > Alternatively, you put a http proxy on the internal network, and the > > > firewall is configured to ONLY allow the proxy server to go the Net. > > > And all users from the TS need to config their browser to > > use the proxy > > for > > > web surfing. > > > > > > I just can't see how a packet filtering firewall can solve > > this problem. > > > > > > > > > > > > >From: "Kuff, Hal" <[EMAIL PROTECTED]> > > > >To: "'Clark, Steve'" <[EMAIL PROTECTED]>, > > "'[EMAIL PROTECTED]'" > > > ><[EMAIL PROTECTED]> > > > >Subject: RE: Firewall authentication & W2K Terminal Server > > > >Date: Tue, 27 Nov 2001 19:18:54 -0500 > > > > > > > > > > > > > > > > This is indeed an old and anoying issue... we suffer > > as well... it's > > > >almost impossible to identify what session on a TSE > > machine maps into a > > > >session on a PIX.. we're interested as well. > > > > > > > >-----Original Message----- > > > >From: Andy Jonkers [mailto:[EMAIL PROTECTED]] > > > >Sent: Tuesday, November 27, 2001 5:39 PM > > > >To: [EMAIL PROTECTED] > > > >Subject: Firewall authentication & W2K Terminal Server > > > > > > > >Hey, > > > > > > > >I'm looking for a firewall, which can give me a solution > > for the problem > > > >I'll be describing. > > > > > > > >I've got a Windows 2000 Terminal Server, and the Terminal > > Server clients > > > >can > > > >browse the Internet using their session. However, they need to be > > > >authenticated by a firewall appliance before they are > > allowed, and their > > > >activity needs be logged on a user basis. > > > > > > > >The firewall I'm using testing for the moment -WatchGuard > > Firebox II- > > > >cannot > > > >do what I want. Once a Terminal Server user authenticates > > successfully, > > all > > > >other are allowed. This is because my WatchGuard > > dynamically changes the > > > >ACLs, because of the successfull authentication, and > > allows Internet > > access > > > >originated from the Terminal Server Source IP. > > Additionally, it cannot > > log > > > >on a user basis, as far as my WatchGuard is concerned it > > comes from the > > > >Terminal Server. > > > >I've also tested the Nortel Contivity Instant Internet > > Gateway, and they > > > >have the same problem as above. > > > >During my CheckPoint Firewall-1 training, I've asked the > > same question. > > The > > > >Certified Instructor told me it wasn't possible on CP > > FW-1, for the same > > > >reasons as described above. However, I didn't have the > > opportunity to > > test > > > >it so far. > > > > > > > >Does anyone know a firewall which can perform what I want? > > And if yes, > > can > > > >he or she describe how it is done? Any help is welcome, > > and I thank you > > for > > > >the answer(s) to my question. > > > > > > > >Regards, > > > >Andy JONKERS > > > > > > > > > _________________________________________________________________ > > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
