RE: Gauntlet & NTLM

[Linwood Ferguson <ferguson () uvii mag aramark com>]

I'm not familiar with NTLM, but we did get PPTP running through Gauntlet.
That should carry most anything through, and its free if you're running
NT4 on both side (NT server is not even required), so simple to give a 
test.  My expectation is that their net extender would do basically the
same things (though with added security features perhaps). 

It took a while to get it to work, but mostly that was because I was 
unfamiliar with TIS' setup.  Here's the short version if you care to try:

Plug port 1723 from any outside address and to your inside pptp server.
(If you have specific addresses out side of course you could use those).
Set force_source_address to true.

Create forwarding rules for:

    - permit inside protocol 47 source <pptp server> destination any all ports
    - permit outside protocol 47 source any destination <pptp server> all ports
    - absorb outside protocol 47 source any destination <pptp server> all ports
    - absorb outside tcp source any port any destination <pptp serer> port 1723

Your pptp call is to the outside nic address on the firewall, the pptp
server is inside the firewall.  We chose not to follow Microsoft's 
suggestion of putting the pptp server with a nic outside and a nic inside,
so interpret their setup instructions with a gain of salt - no extra hardware
is needed, you can just have it connected to the inside NIC as usual, and 
it can be a workstation (at least for some small number of connections for
testing -- I don't recall if there's a limit).

In some brief testing the tunneling seemed to carry any kind of traffic, even
non-TCP, quite nicely.  My setup had too many internal WAN links involved to 
do serious performance testing, so no comment there.

We are hoping to use this for work-from-home folks, so any comments on the
general use of PPTP welcomed.
    
    - Linwood

PS. TIS is rather reluctant to help with this, giving lots of warnings that
they cannot vouce for its safety, etc., though without a lot of specifics.
So consider their vague warnings relayed equally vaguely.  :-)

-----------------------------------------------------------------------
Linwood Ferguson                  e-mail: ferguson () mag aramark com
Director, Software Engineering    Voice:  (US) 540/967-0087
ARAMARK Mag & Book Services             

-----------------------------------------------------------------

> Does anyone have any ideas of how to get NTLM Challenge/Response
> authentication (used for FrontPage) working through a Gauntlet firewall. 
> Microsoft's FAQ dealing with NTLM says that it won't work through a proxy. 
> So, I'm curious if using the PC Extender or Net Extender from TIS will do
> the trick.  Does anyone know?  Does anyone have other suggestions? 

> I tried sending this to the sales people at tis.com (as suggested in the
> Gauntlet FAQ), but didn't get a response.  Two or three days ago, I tried
> the firewalls list and didn't get a response there either. So, I'm trying
> an upgrade to firewall-wizards.

> Thanks for any help anyone can supply.

> Richard Trott
> trott () remus rutgers edu