With user auth, they will be challenged each time, have you tried partially automatic
client auth?
[EMAIL PROTECTED] wrote:
> I would love to do that, but the domain objects won't take in a rule when
> using User Auth! You have to put the domain objects in that particular
> user's permissions. Then I still get the same problem, users are being
> prompted when they come across a resource they don't have access to. This
> is very frustrating!
>
> Cheers,
>
> Jamie
>
> -----Original Message-----
> From: CryptoTech [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, November 21, 2000 8:53 PM
> To: MIS Security Alerts
> Cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] http domain filter
>
> I would just set up domain objects and use them in the destination field.
> This way they are evaluated upon use (then cached per the DNS valid
> interval.) This should work quite well.
>
> The resource idea is not bad, but tends to work better if you just used ip
> addrs.
>
> so just create domain objects like yahoo.com, <sitename.com>, and so on.
>
> HTH,
> CryptoTech
>
> [EMAIL PROTECTED] wrote:
>
> > I am trying to set up simple access rules for 4 different groups. These
> > groups have a variety of different access to sites like av.com, yahoo.com,
> > etc. I am toying with a few ideas and I want to bounce it off a few
> people.
> > My desired result is to use something like domain objects so that I don't
> > have to manually input any changes when yahoo gets a new server. I have
> > gotten it to work using URI resources and it works great, BUT (and you
> knew
> > there was a but) when someone access a site they don't have permissions
> to,
> > it just comes up with user/pass prompts until it finally moves to an Error
> > 407 - not "Access Denied." Here is what I have found the reason to be:
> the
> > rule setup to allow users to these sites is below
> >
> > Group1@internal any http->www.yahoo.com User Auth Account
> >
> > It looks as though because the destination is any I will never see that
> > access denied error. A solution was to use the domain objects in the dest
> > field, only they are not allowed when using User Auth. Now this may
> appear
> > to be cosmetic only and not bother fixing, but when I user accesses
> > yahoo.com, several gif's on that page are called from other URL's. So, in
> > order to load the page the users will get frustrated after trying their
> > user/pass so many times. It will eventually load without those gif's. If
> I
> > specify the IP of yahoo.com as the dest, the page loads no problem and
> just
> > ignores the gif's (no prompts because access is denied).
> >
> > Anyone know the secret or have a few moments to spare and test my
> theories?
> >
> > Cheers,
> >
> > Jamie Doherty
> >
> > The information transmitted by the following E-Mail is intended only for
> the addressee and may contain confidential and/or privileged material. Any
> interception, review, retransmission, dissemination, or other use, or taking
> any action upon this information by persons or entities other than the
> intended recipient is prohibited by law and may subject them to criminal or
> civil liability. If you received this communication in error, please contact
> us immediately at 954-730-2900 ext. 3600 and delete the communication from
> any computer or network system.
> >
> >
> ============================================================================
> ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> The information transmitted by the following E-Mail is intended only for the
>addressee and may contain confidential and/or privileged material. Any interception,
>review, retransmission, dissemination, or other use, or taking any action upon this
>information by persons or entities other than the intended recipient is prohibited by
>law and may subject them to criminal or civil liability. If you received this
>communication in error, please contact us immediately at 954-730-2900 ext. 3600 and
>delete the communication from any computer or network system.
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
