topic Captive Portal to Internal Servers in General Topics

Captive Portal to Internal Servers

CafNetMatt — Mon, 24 Dec 2012 21:26:23 GMT

I have a client that currently uses an ISA server to restrict access to back-end web servers. The users authenticate at the ISA which then redirects to the back end web server.

Palo Alto firewalls were sold as replacing this authentication mechanism using Captive Portal. Is this a possible use? I've only seen examples of Captive Portal for outbound traffic or to authenticate users for a wireless network. This would be inbound traffic from the Internet going to specific servers internally.

If this is possible, what would be the recommended setup? Static NAT is configured for these servers and I'd want to use the User-ID agent for authentication.

The client is also moving to using the Global Protect agent for SSL VPN. The request is for Captive Portal to be used to protect access to certain web resources but if they want full access to internal resources they would use GP.

Thanks for any help!

Re: Captive Portal to Internal Servers

sdurga — Tue, 25 Dec 2012 04:24:15 GMT

You can use Captive Portal in your setup. As you said most of the times Captive Portal is used for outbound access, you can also do it for inbound by configuring the Captive portal policies and I do not see any issues with it as long as the users are coming from different IP's. You can use Radius/LDAP or kerberos or even local user accounts for identifying and authenticating the users. You also mentioned that you would like to use User-id agent. Captive portal is used when user-id agent cannot be used; that is when the users are not logging into any domain controllers and the user traffic is directly reaching the firewall. So you can either use captive portal or user-id agent only. Regarding the full access if the users login to the SSL VPN they should be able to get the full access. I do not see any issues with your setup.

Sandeep T

Re: Captive Portal to Internal Servers

CafNetMatt — Tue, 15 Jan 2013 21:20:44 GMT

Thank you for the explanation. I actually look forward to trying this out. This is Step 3 in a PAN migration with steps 1 & 2 being replacing the existing firewalls and moving to Global Protect for SSL VPN. Both of which are pretty much complete.

Re: Captive Portal to Internal Servers

djrodb — Wed, 16 Jan 2013 15:05:57 GMT

I've had big problems setting this up. I can't seem to direct any incoming requests to the CP authentication system (tried both radius and local). I ended up going with an Citrix solution via F5 to farm out access to the internal resource.

If you get it working I would be interested to see your configuration.

Rod

Re: Captive Portal to Internal Servers

sspringer — Wed, 16 Jan 2013 18:25:16 GMT

Captive Portal was not designed for Internet -> Internal use so there could be some problems trying to implement it this way. One particular caveat, it is required to enable User-ID on the 'Internet' or 'External' zone. If you have User-ID Agent configured, this could flood the agent with the list of unknown IP addresses.

I would recommend deploying this configuration only if the 'Internet' or 'External' zone is controlled and not publicly accessible. If you decide to move forward with this deployment, it would be advisable to involve your Sales team so they are familiar in case issues arise.

Here is Tech Note on some specifics of User-ID: https://live.paloaltonetworks.com/docs/DOC-1807

-Stefan

Re: Captive Portal to Internal Servers

greeng — Wed, 08 Oct 2014 19:23:47 GMT

Curious to see how this fared for you?

Re: Captive Portal to Internal Servers

CafNetMatt — Sat, 14 Feb 2015 16:05:55 GMT

This was a bust. It's just outside what Captive Portal was created to do.

The client moved to a different solution.

Sorry for the late response. For some reason your reply didn't end up in my inbox (The PAN inbox yes; my regular mail inbox no).