Hello everyone and thankyou for taking the time to read this question.
My company is bringing up a new accounting/Time and Attendance suite in November and the question of access as been asked over and over again. They do not want to expose the webserver that employees enter time and expense to the outside world yet they do not want to force all users to vpn into the network just to enter time sheet data.
The application performs authentication against AD, but it will not allow users to change passwords once theirs has expired. So we are considering ways to allow the firewall to authenticate since it can request password change at logon.
So I have two questions.
When considering your answer please keep in mind that I have an ASA 5510 as my firewall
1. I have read about the cut through proxy that is available on the ASA, but this does not appear to be a single signon option. It appears you login to the proxy and then it passes you to the application where you will have to authenticate against the application. Is this assumption correct?
2. Can anyone think of another way to access an application behind the firewall that is not exposed to the internet?
If you have any questions or need a further explanation please do not hesitate asking.
Thanks
John