Firewall Wizards mailing list archives
RE: Gauntlet & NTLM
From: Linwood Ferguson <ferguson () uvii mag aramark com>
Date: Mon, 13 Oct 1997 09:49:17 EST
I'm not familiar with NTLM, but we did get PPTP running through Gauntlet. That should carry most anything through, and its free if you're running NT4 on both side (NT server is not even required), so simple to give a test. My expectation is that their net extender would do basically the same things (though with added security features perhaps). It took a while to get it to work, but mostly that was because I was unfamiliar with TIS' setup. Here's the short version if you care to try: Plug port 1723 from any outside address and to your inside pptp server. (If you have specific addresses out side of course you could use those). Set force_source_address to true. Create forwarding rules for: - permit inside protocol 47 source <pptp server> destination any all ports - permit outside protocol 47 source any destination <pptp server> all ports - absorb outside protocol 47 source any destination <pptp server> all ports - absorb outside tcp source any port any destination <pptp serer> port 1723 Your pptp call is to the outside nic address on the firewall, the pptp server is inside the firewall. We chose not to follow Microsoft's suggestion of putting the pptp server with a nic outside and a nic inside, so interpret their setup instructions with a gain of salt - no extra hardware is needed, you can just have it connected to the inside NIC as usual, and it can be a workstation (at least for some small number of connections for testing -- I don't recall if there's a limit). In some brief testing the tunneling seemed to carry any kind of traffic, even non-TCP, quite nicely. My setup had too many internal WAN links involved to do serious performance testing, so no comment there. We are hoping to use this for work-from-home folks, so any comments on the general use of PPTP welcomed. - Linwood PS. TIS is rather reluctant to help with this, giving lots of warnings that they cannot vouce for its safety, etc., though without a lot of specifics. So consider their vague warnings relayed equally vaguely. :-) ----------------------------------------------------------------------- Linwood Ferguson e-mail: ferguson () mag aramark com Director, Software Engineering Voice: (US) 540/967-0087 ARAMARK Mag & Book Services -----------------------------------------------------------------
Does anyone have any ideas of how to get NTLM Challenge/Response authentication (used for FrontPage) working through a Gauntlet firewall. Microsoft's FAQ dealing with NTLM says that it won't work through a proxy. So, I'm curious if using the PC Extender or Net Extender from TIS will do the trick. Does anyone know? Does anyone have other suggestions?
I tried sending this to the sales people at tis.com (as suggested in the Gauntlet FAQ), but didn't get a response. Two or three days ago, I tried the firewalls list and didn't get a response there either. So, I'm trying an upgrade to firewall-wizards.
Thanks for any help anyone can supply.
Richard Trott trott () remus rutgers edu
Current thread:
- Gauntlet & NTLM Richard Trott (Oct 13)
- <Possible follow-ups>
- RE: Gauntlet & NTLM Linwood Ferguson (Oct 13)
- RE: Gauntlet & NTLM Craig Brozefsky (Oct 13)
- RE: Gauntlet & NTLM Ge' Weijers (Oct 13)
- RE: Gauntlet & NTLM Craig Brozefsky (Oct 13)
- RE: Gauntlet & NTLM Aleph One (Oct 14)
- RE: Gauntlet & NTLM Marcus J. Ranum (Oct 14)
- RE: Gauntlet & NTLM Ge' Weijers (Oct 14)
- RE: Gauntlet & NTLM Magossa'nyi A'rpa'd (Oct 15)
- PPTP viability (was RE: Gauntlet & NTLM) Philip Cox (Oct 15)
- Re: PPTP viability (was RE: Gauntlet & NTLM) Adam Shostack (Oct 15)
- Re: PPTP viability (was RE: Gauntlet & NTLM) Ge' Weijers (Oct 15)
- RE: Gauntlet & NTLM Craig Brozefsky (Oct 13)