How do I protect SNX webpage on port 443 with user/client auth?

[BAM279]

My NGX R62 gateway is configured to permit SSL Network Extender VPN Connections on the default port HTTPS/443 which works perfectly.

However I dont like how this configuration allows anyone to connect to this port and access the SNX webpage before they have to authenticate via the extender activex control. I have tried protecting access to the SNX webpage by adding a user auth rule as follows:

snx_users@any - gateway - https - user auth

This changes nothing, the SNX page is still publically accessible without any user authentication... The rule is above the gateway stealth rule and I have also tried partially automatic and manual client auth, and added 443 fwssd in.ahttpd wait 0 to fwauthd.conf but still nothing - no popup for authentication this rule is completely ignored, not even any log entries depsite setting the track option to log :(

The CP documentation mentions sometimes having to add a URI resource to this sort of rule to invoke the HTTP Security Server so that it is properly processed, guess what ive tried using an https>uri resource but STILL no joy :(

Are there any other things I can try?

[mcnallym]

I believe, that the connection is via an implied rule. As such this rule allowing the connectivity is above your rules.

Without wanting to sound funny, what is the issue in people getting the SNX screen without authenticating first?

[BAM279]

Hi thanks for your reply.

There is no issue with having the SNX webpage public as such, I would just like to have an extra layer of security through obscurity, by preventing any random public probes being presented with the page. Its really just the same practice as preventing uncessesary information disclosure through service banner/welcome messages. The bigger issue would be with frustrating snx users by having to log in twice, but that is migitated through using certificates for the actual SNX access.

My implied rule for "Accept Remote Access Control Connections" is disabled in Global Properties, and there are no other implied rules that I can see which would be permitting snx access.

[BAM279]

Ok, heres the latest, I have diabled ALL implied rules from global properties and just created a single manual rule for CPMI to the gateway to retain my management access. I have also enabled "log implied rules" and access to the SNX webpage is listed in smartview tracker as allowed - "implied rule"?

So, to what implied rule does it refer - as I said I disabled ALL implied rules so how is access still permitted to SNX webpage? I am assuming there must be some other rule added into one of the conf files somewhere whenever you enable clientless vpn & ssl network extender options in the config, but can anyone confirm this or even tell me where I could find a way of removing this "hidden" replied rule so that I can then create a manual rule with partial client auth or user auth?

Thanks.