Firewall Wizards mailing list archives
Re: NT Authentication
From: Vin McLellan <vin () shore net>
Date: Thu, 8 Oct 1998 17:31:52 -0400
Steve () po i-way co uk queried the Listocracy:
I have been asked a few times recently to specify a proxy which can get Authentication from an NT domain. This seems to be sites which are using DHCP. I often like to specify a FW which has an internal proxy where the site admin team can control the insides clients Internet access. This means they can make all the changes for individual users and don't have to go near the FW. In the past I have used Wingate and IP's but more and more sites seem to want this authentication to come from an NT domain ala M$ Proxy server I guess. Being no genius on NT I wondered if anyone has any other product suggestions, alternative ways of doing this etc. Any actual experiences with Microsofts proxy would be good too - I think we all know how dubious the security is, the management possibilities seem useful though.
One of my clients has a new mix of technologies which might be worth considering. SDTI <http://www.securid.com> has just come out with a new ACE/Agent for NT which supports NT Domain authentication (with a neat little PKI for the Domain) with two-factor SecurID authentication. It's been shipping for a couple weeks -- free for current ACE/SecurID sites -- but I don't think it will be announced for another week or so, so there may be nothing on the website until then. This is also something of overkill for your specific problem, but among its many and wonderous tricks for authorization and access control within the NT LAN, it should be able to manage control of users permitted egress thru the firewall. With MS Proxy in a domain that has the 4.4 ACE/Agent running subauth, the Winsock Proxy part of the MS Proxy Server can control access to the firewall by NT username. That should fire off the ACE/Agent's subauth filter at the Domain Controller when the user tries to route through the firewall. The only problem might be with DHCP clients. You would need to make sure that you have dynamic DNS (through WINS?) so that SDTI's subauth filter can connect back to the client and authenticate. Surete, _Vin ----- Vin McLellan + The Privacy Guild + <vin () shore net> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --
Current thread:
- NT Authentication Steve (Oct 07)
- Re: NT Authentication Joseph S. D. Yao (Oct 07)
- RE: NT Authentication Joe Ippolito (Oct 09)
- <Possible follow-ups>
- RE: NT Authentication Noller, Gregory (Oct 09)
- Re: NT Authentication Vin McLellan (Oct 09)
- RE: NT Authentication Amirmadhi Foorood (Oct 09)
- RE: NT Authentication Amirmadhi Foorood (Oct 13)
- RE: NT Authentication Stout, Bill (Oct 13)
- Re: NT Authentication Joseph S. D. Yao (Oct 07)