Well I figured it out, the rule looks like this: User Group W32 Terminal Server/Firewall ports 23 & 3389 Client Auth
It works great, here's a breakdown 1. telnet session to the firewall over port 259 2. sign in | select "standard sign-on" 3. launch Microsoft RDP connection to the desired server + allows a user from anywhere to gain access to the terminal server + no need to define an end user IP - Allows anyone to telnet to the firewall - yet another password and ID to manage Since placement of the rule requires is to be above the "stealth" rule it permits any telnet session to the firewall. How can I allow this to work yet deny just anyone the ability to gain access to the firewall via telnet? Thanks ----- Original Message ----- From: "Security Guy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 22, 2003 11:25 AM Subject: Re: [FW-1] User authentication mechanism[s] > Still not having much luck with creating this access. Here's the rule I'm > trying to configure. Is there some trick to setting up the actual user > account? [test user exists within "user group"] I'm expecting to see a > login prompt from the firewall to allow further access to the terminal > server, but no joy. The logs show the traffic being stopped by the > last rule, aka the clean up rule. Do I need another port open to allow the > prompt, or possibly another rule to augment the terminal server rule? > > Here's the rule > > User Group W32 Terminal Server Tcp Port 3389 Client Auth > > Thanks! > > ----- Original Message ----- > From: "Peter Goodridge" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, December 19, 2003 11:59 AM > Subject: Re: [FW-1] User authentication mechanism[s] > > > > Hi SG, > > > > I use client auth for this kind of stuff. It works > > fine. It's not encrypted however unless you take some > > extra steps. The other downside being that if your > > user authenticates from a multiuser system, or from > > behind a NAT device other folks will also have access. > > > > HTH, > > Pete > > --- Security Guy <[EMAIL PROTECTED]> > > wrote: > > > We have a device that resides within our DMZ, a > > > select group of DHCP users will need access. I > > > don't really want to give the users static IP > > > addresses, can some kind of alternate authentication > > > be used? I've tried User Authentication, only to > > > find out it only supports telnet rlogin http,https > > > and ftp. I would like to keep the users on DHCP > > > IPs, they will be accessing the DMZ resource via a > > > RDP connection [tcp port 3389] Will client > > > authentication work? > > > > > > thoughts | ideas | suggestions > > > > > > Thanks! > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > __________________________________ > > Do you Yahoo!? > > New Yahoo! Photos - easier uploading and sharing. > > http://photos.yahoo.com/ > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
