ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Ouwerocker
Posts: 2
Registered: ‎04-12-2010
0

External auth server to protect website

Hello

 

We have the following situation

 

We have a website that we want to secure with an external authentication party ( Cryptocard MAS protal)

I tried to create an auth server and joined this with a policy and thought this would work , but no luck

The people at Cryptocard have also no idea how to set up our SSg5

 

Does anyone have any experience with external radius authentication on an SSG5

 

Thanks

Distinguished Expert
spuluka
Posts: 2,502
Registered: ‎03-30-2009
0

Re: External auth server to protect website

[ Edited ]

If I understand your scenario correctly, there is no authentication server or setup needed at all in the SSG for your web server.

 

Crypto-MAS IIS Integration

 

MS- IIS Crypto-MAS

 

You are protecting a web site.  The process will work like this:

  • when the page load comes to the Microsoft IIS server
  • IIS needs to be configured to forward that request over to Crypto-MAS
  • Once authenticated, Crypto-MAS returns the session to IIS as authorized

On the SSG firewall you need these configurations setup:

 

  • you will forward web traffic to the Microsoft IIS server normally
  • You will need firwall rules to allow outbound connections from the IIS server to Crypto-MAS.  These will be covered if you have a normal allow all from the IIS server zone to the internet untrust setup that allows web access from that server
  • You will need a firewall rule from the Crypto-MAS server IPs to the IIS server for whatever ports they use in the communcations.  It looks like they use RADIUS so the port would be 1645 & 1646 but you will need their documenation on the IIS setup to confirm where the communcations occur.

The authentication server setup on the SSG is only needed if you are using Crypto-MAS as the authentication for your administrative access to the SSG instead of the build in login database.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.