Re: Internal DNS bypasses Watchguard authentication
From: Richard Chiu (rchiu_at_brederoshaw.shawcor.com)
Date: 12/01/03
- Next message: Hanna Lahy: "Catch 22 with Norton Internet Security"
- Previous message: Jim Hubbard: "Re: IPTables Blocking Outbound by destination port."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 01 Dec 2003 18:56:53 GMT
We configured the Watchguard to block any external traffic unless the user
authenticates. However, we overrided this by allowing outgoing HTTP
connections from any machine. This override was necessary to allow traffic
through from our web server on the optional (DMZ) connection. Changing the
outgoing connection to only allow authenticated users solved our problem but
now the users need to authenticate even to access our own web server.
John: Unfortunately, Watchguard does not redirect users to authenticate if
they forget to. You must point your browser to the address of Firebox.
Thanks for your assistance.
Rich
"John Smith" <someone@microsoft.com> wrote in message
news:4iMxb.6179$G1.28771@tor-nn1.netcom.ca...
> I read that again and it makes a bit more sense to me, however unless your
> Firebox forces authentication for all traffic, I'm not sure how you're
going to
> stop this. I would think that it would be smart enough to see that it's
HTTP
> and redirect the user to the authentication page BEFORE allowing the
traffic
> out.
>
>
>
> "Richard Chiu" <rchiu@brederoshaw.shawcor.com> wrote in message
> news:Z6Mxb.198000$jy.155588@clgrps13...
> >
> > "John Smith" <someone@microsoft.com> wrote in message
> > news:mXLxb.6178$G1.28801@tor-nn1.netcom.ca...
> > > Wow! Where do I start.
> > >
> > > You have a SOHO box.
> > > You setup and Internal DNS
> > > Your PCs now use this DNS
> > > In the past they had to authenticate to ??? using the software ?? to
surf
> > out.
> > > Now they can surf without authentication.
> > >
> > > Questions
> > >
> > > What DNS(s) did they use before?
> >
> > We used the DNS servers provided by our ISP (DSL connection)
> >
> > > Did you connect the DNS to the Internet directly and is this new DNS
> > acting as a
> > > router?
> >
> > Our internal DNS server is on the trusted network and doesn't require
> > authentication to access the Internet directly. We configured this in
the
> > Firebox to allow traffic to pass through to this server.
> >
> > > How did your SOHO box force authenticated sessions in the past?
> >
> > Oops, my mistake. We actually have a Firebox II Plus, not a SOHO which
has
> > an authentication server built in. Users point to this web server to
> > authenticate.
> >
> > > Has anything changed on your Firewall recently?
> >
> > Nothing has changed before setting up the internal DNS. Are you familiar
> > with how the Watchguard authentication works. On the client machines,
when
> > using the ISP DNS servers, I can ping external IP addresses. I just
can't
> > ping domain names because they don't resolve properly. I can even access
web
> > sites such as Google if I use the IP. However, once the DNS entry is
changed
> > to our internal DNS server, domain names can be resolved without the
need to
> > authenticate. I thought Watchguard was suppose to block all traffic, not
> > just prevent domain names from resolving? Thanks for your help!
> >
> >
> > Rich
> >
> >
>
>
- Next message: Hanna Lahy: "Catch 22 with Norton Internet Security"
- Previous message: Jim Hubbard: "Re: IPTables Blocking Outbound by destination port."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
