Client Authentication to Static NAT server

[Brittin_C]

Hello!

Does anyone have a sample configuration for this? I know how to set up "client auth" and how to set up "static NAT"... but how do I combine them.

The scenario is I want to use a "Client Auth" off a RADIUS KeyFoB server to grant access to a Citrix Server farm.

I have played with a couple configurations with limited success.

Thanks!
bc

[Brittin_C]

So currently I have the following config in place:

1. NAT Rules:
Static NAT: External NAT Address of Citrix Server which is publically routed
Actual Address: internal 172.16 address which is on the interface of the Citrix Server
Service: ICMP, RDP, ICA

This rule has an opposite static rule to allow it to NAT traffic out.

2. Auth Rules
Client Auth:
User@Any ---> Citrix01Static ---> any service ---> Log

I can get a telnet login and get authorized.

If i attempt the HTTP login, it sends me to a "FireWall-1 message: ERROR: Unable to proceed. It is possible that the time out has expired. To relogin, please press this button:" Pressing the button starts the cycle all over...


Any clues what that is all about?

[MarioL]

Check Point Authentication is aimed at local users going out. They expect you to use SecuRemote for external users coming in.

Anyway, the easiest way to configure static NAT is to use automatic (inside the object, in the NAT tab), because it will then match for both real and natted IP.

[Brittin_C]

Only problem I am having now is the web Login give me the:
FireWall-1 message: ERROR: Unable to proceed.

After submitting the User... telnet login works fine.

Anyone know how to fix this?

[coldark]

Now this may seem a little off the wall...

Which type of FW Hardware are you using? If it is Nokia, and you are using voyager on Port80 then your symptom might be because your client auth rule is below your voyager rule in the rulebase. If that's the case, switch the Client Auth rule to above the Voyager Access rule.

[Edit:] Alternatively set your voyager access to a different Port.

[Brittin_C]

Im using a pair of Dell 2950's with dual quad port NICs on SPLAT 2.6.

Checkpoint currently has me editing the login web pages to add an "ACTION" to the "FORM" method. Whats really great is they cant tell me the exact syntax, i have to "play about and try stuff".

Im currently on "http://node1hostname.com/" next ill do "http://node1hostname:900/". The overall idea is to lock down the authenticator on one node so his login isnt interupted by the other node.

[Brittin_C]

Happy ending...

So the solution is two fold...

First, on both clusternodes you must change the web files for login to include an ACTION in the FORM tag. This action should look like the following:

ACTION="http://<<IP or hostname of firewall node>>:900/"

This must be done on all nodes and the IP must be unique for each node. The "Real IP" of that node on the side facing the authenticator is the proper IP to insert. If your are using HTTPS for authentification then make the change accordingly to the line above.

Second, if you require the use of HTTPS to the target of your Static NAT, you must change a global property. Under global properties select SmartDashboard Customization... there should be button labeled "Configure". Click configure and navigate to: Firewall-1 --> Web Security --> HTTP Protocol. Check the box titled "http_use_host_h_as_dst". Push your policy.

If you dont check this box then Checkpoint will get all confused thinking the HTTPS is directed at it and not the NAT target and drop the packet. Why it thinks this, god only knows. If you dont need HTTPS, you can skip this step.

There ya'all go, hope it helps someone.