Password protected internal site

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Password protected internal site

Hi everyone,

 

I'm trying to migrate a rule of an ancient firewall (Microsoft ISA server) that was "publishing" an internal resource using regular HTTP - just a web page - but protected by an RSA SecurID login page. The ISA / RSA implementation was just enforcing a login page before showing up the published Web site:

 

External User (Internet)  --->   ISA Server with RSA SecureID auth --->  HTTP/80 web site (LAN)

 

On my PA, I have no specific license for GP so I cannot use the GP clientless functionality.

Creating an enabling User-ID / Captive Portal / legacy RSA SecureID for the Internet Zone is a no no...

 

Are there anything I could do on the PA side to enforce authentication for Internet users?

 

Thanks!

R.   

Highlighted
Cyber Elite

@Rievax,

So you've thrown out authentication policies which would generally be the solution for something like this, which really leaves you with licensing GP so you can do a clientless setup to service this resource or having them actually use GlobalProtect to form a VPN connection. You don't really have another option here from the firewall itself. 

Highlighted
L4 Transporter

@Rievax ,

 

Well the captive portal will "enforce authentication for internet users" as per your requirements. Why is this not option for you?

Highlighted
L2 Linker

@BPry , @AlexanderAstardzhiev 

 

Dear all. Thanks for your answers!

To be honest, I was reading the Best Practices article for securing User-ID and in many other places in PA doc, they warn not to enable User-ID in Internet / Untrusted zones. Having a closer look, the possible issue seems to be related more in regards to WMI probing (which is not enabled in my case)... Brute force attack should not be a problem since this is an OTP SecurID access that I would use in my Authentication Policy rule (BTY, I tested in from a DMZ zone, and I know that works fine).

 

Still, by reading your answers, this does not seems to be a problem to your eyes enabling User-ID in the Internet / Untrusted zone. Or I am mistaken, and there is another way to have an attached Authentication Policy Rule without enabling User-ID for the Zone?

 

My second issue is regarding the Captive Portal Redirect Host and SSL Service Profile... I originally built it for "Internal" use, and because there's only one Captive Portal setup I will have to re-create a proper Redirect Host / SSL Service Profile / Split DNS setup to have it accessible internally and externally.

 

Thanks again for your suggestions.

 

Regards.

R. 

Highlighted
Cyber Elite

Hello,

Using User-ID wont work, the reason is if the firewall knows the user-ip already, it will not bring up the authentication page. So I agree with BPry and you have to license GP is you want to use the PAN or find another solution.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!