Logging into FW-1 with SSL?

["Briercheck, Scott" <brierchecks () msx upmc edu>]

Wizards,

I'd like to make the following configuration happen, but I've been told its
not possible:

I would like to take an NT machine running IIS 4.0 and have it protected by
FW-1.  The rules would be extremely tight, so that basically the only thing
allowed through the firewall would be HTTPS to the web server.  In order to
get access to the web server, you'd first have to successfully log in at the
firewall (I'd use Livingston's Radius Server to let the firewall have access
to the SQL database that stores the web login information).  

If you succeeded at the firewall login, then your HTTPS traffic would be
allowed through to the web server.  Otherwise, nothing from you would get
through to the web server).

Here come's the tricky part:  I'd like the initial authentication at the
firewall to take place over SSL.  The problem I'm presented with is that I
can't establish an SSL connection to the firewall because I need the Web
Server's certificate for the SSL session, but I can't use the certificate
since there isn't a connection to the Web Server yet....This circular
dependency is the difficulty.

So my question:  Is there some way around this dependency loop, for example,
is it possible for the firewall to serve up a certificate that would allow
HTTPS to occur during the authentication at the firewall?  Or is there
another way around it?  I'm open to any suggestions, or to a plain old
"Nope, it can't be done".

Thanks,

Scott