Partially or Fully Authentication

[CheckMan]

If I need to use authentication when browsing with Internet Explorer (HTTP and HTTPS), which method that I need to use Partially or Fully Authentication??

Thanks

[Binary_01]

With partial Authentication the user will be prompted for user authentication for the the following services: HTTP, FTP, RLOGIN and telnet. Once the user is authenticated for these services, he will be authenticated for all other services permitted by the rule.

If the client first connects the an HTTPS server before the services listed above, the user will have to manualy authenticate.

Fully Authentication Sign-on works the same way except it will revert to session authentication for other services therefore requiring the installation of session clients on the desktops.

Keep in mind that client authentication and user authentication sends usernames and passwords unencrypted, you can change that by doing the following.

in the file: $FWDIR/conf/fwauthd.conf

delete this line:

259 fwssd in.aclientd wait 259

This will disabled Telnet client authentication.

Change the following line:

900 fwssd in.aclientd wait 900

to

900 fwssd in.aclientd wait 900 ssl:defaultCert

This way if you users need to authenticate via the Client authentication way (By connecting to your FW:900) it will now be done securely. I am not aware of any ways to secure user authentication at the moment.

Do backups before changing anything. :)

This is to the best of my knowledge and understanding.

To answer your question, I would use Partial authentication if I had too.

Cheers!

Phil.

[CheckMan]

Or add the following entry in fwauthd.conf?

443 fwssd in.ahttpd wait 0

???

Thanks

[Binary_01]

Are you by an chance struggling with intergrating LDAP with your Checkpoint?