12-04-2002 08:51 AM - edited 02-21-2020 10:05 AM
Hi,
I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the Authentication proxy feature on the IOS Firewall combined with a Tacacs server.
Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.
I was thinking of using the Authentication proxy feature on the IOS Firewall but Ive noticed the following in the Restrictions section :
The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.
Which I think defeats what Im trying to do.
Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?
Thanks !
Steve Saindon
Network Consultant
Interreseau-Conseils Inc.
12-04-2002 11:29 AM
I believe you have to have a separate internal proxy server that sees all users' IP addresses the way they are. The server then direct them to the internet based upon the correct user/password.
Hope this helps.
12-04-2002 01:24 PM
Salut Steve,
Even to surf the Web, your client is forcing users to pass through the Citrix server(s) ? This seems a little bit strange.
About the restriction, i've got the same one before and i didn't find a solution with the PIX.
Since users connect to Citrix before, and i suppose that users have been authentified there, you may leave all traffics from Citrix servers pass through without auth.
Salut
Benoît
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide