ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Posts: 2
Registered: ‎04-12-2010
0 Kudos

External auth server to protect website



We have the following situation


We have a website that we want to secure with an external authentication party ( Cryptocard MAS protal)

I tried to create an auth server and joined this with a policy and thought this would work , but no luck

The people at Cryptocard have also no idea how to set up our SSg5


Does anyone have any experience with external radius authentication on an SSG5



Distinguished Expert
Posts: 4,300
Registered: ‎03-30-2009
0 Kudos

Re: External auth server to protect website

[ Edited ]

If I understand your scenario correctly, there is no authentication server or setup needed at all in the SSG for your web server.


Crypto-MAS IIS Integration


MS- IIS Crypto-MAS


You are protecting a web site.  The process will work like this:

  • when the page load comes to the Microsoft IIS server
  • IIS needs to be configured to forward that request over to Crypto-MAS
  • Once authenticated, Crypto-MAS returns the session to IIS as authorized

On the SSG firewall you need these configurations setup:


  • you will forward web traffic to the Microsoft IIS server normally
  • You will need firwall rules to allow outbound connections from the IIS server to Crypto-MAS.  These will be covered if you have a normal allow all from the IIS server zone to the internet untrust setup that allows web access from that server
  • You will need a firewall rule from the Crypto-MAS server IPs to the IIS server for whatever ports they use in the communcations.  It looks like they use RADIUS so the port would be 1645 & 1646 but you will need their documenation on the IIS setup to confirm where the communcations occur.

The authentication server setup on the SSG is only needed if you are using Crypto-MAS as the authentication for your administrative access to the SSG instead of the build in login database.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)