I have a client that currently uses an ISA server to restrict access to back-end web servers. The users authenticate at the ISA which then redirects to the back end web server.
Palo Alto firewalls were sold as replacing this authentication mechanism using Captive Portal. Is this a possible use? I've only seen examples of Captive Portal for outbound traffic or to authenticate users for a wireless network. This would be inbound traffic from the Internet going to specific servers internally.
If this is possible, what would be the recommended setup? Static NAT is configured for these servers and I'd want to use the User-ID agent for authentication.
The client is also moving to using the Global Protect agent for SSL VPN. The request is for Captive Portal to be used to protect access to certain web resources but if they want full access to internal resources they would use GP.
Thanks for any help!
You can use Captive Portal in your setup. As you said most of the times Captive Portal is used for outbound access, you can also do it for inbound by configuring the Captive portal policies and I do not see any issues with it as long as the users are coming from different IP's. You can use Radius/LDAP or kerberos or even local user accounts for identifying and authenticating the users. You also mentioned that you would like to use User-id agent. Captive portal is used when user-id agent cannot be used; that is when the users are not logging into any domain controllers and the user traffic is directly reaching the firewall. So you can either use captive portal or user-id agent only. Regarding the full access if the users login to the SSL VPN they should be able to get the full access. I do not see any issues with your setup.
I've had big problems setting this up. I can't seem to direct any incoming requests to the CP authentication system (tried both radius and local). I ended up going with an Citrix solution via F5 to farm out access to the internal resource.
If you get it working I would be interested to see your configuration.
Captive Portal was not designed for Internet -> Internal use so there could be some problems trying to implement it this way. One particular caveat, it is required to enable User-ID on the 'Internet' or 'External' zone. If you have User-ID Agent configured, this could flood the agent with the list of unknown IP addresses.
I would recommend deploying this configuration only if the 'Internet' or 'External' zone is controlled and not publicly accessible. If you decide to move forward with this deployment, it would be advisable to involve your Sales team so they are familiar in case issues arise.
Here is Tech Note on some specifics of User-ID: https://live.paloaltonetworks.com/docs/DOC-1807
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!