Thread: Client Authentication to Static NAT server
View Single Post
  #7 (permalink)  
Old 2008-04-14
Brittin_C Brittin_C is offline
Junior Member
  
Join Date: 2008-03-07
Posts: 28
Rep Power: 0
Brittin_C has an average reputation (10+)
Default Re: Client Authentication to Static NAT server
Happy ending...

So the solution is two fold...

First, on both clusternodes you must change the web files for login to include an ACTION in the FORM tag. This action should look like the following:

ACTION="http://<<IP or hostname of firewall node>>:900/"

This must be done on all nodes and the IP must be unique for each node. The "Real IP" of that node on the side facing the authenticator is the proper IP to insert. If your are using HTTPS for authentification then make the change accordingly to the line above.

Second, if you require the use of HTTPS to the target of your Static NAT, you must change a global property. Under global properties select SmartDashboard Customization... there should be button labeled "Configure". Click configure and navigate to: Firewall-1 --> Web Security --> HTTP Protocol. Check the box titled "http_use_host_h_as_dst". Push your policy.

If you dont check this box then Checkpoint will get all confused thinking the HTTPS is directed at it and not the NAT target and drop the packet. Why it thinks this, god only knows. If you dont need HTTPS, you can skip this step.

There ya'all go, hope it helps someone.
Last edited by Brittin_C; 2008-04-14 at 18:09.
Reply With Quote