>>What are you using to maintain the user names, are you authenticating
>>against AD?
Surfcontrol can use AD (Mixed mode), NT Domain, NDS, and Netbios discovery.
There is a EUM (service) that gets installed onto each primary/backup/AD.
We are using the AD in mixed mode. Netbios discovery is turned on as well,
but doesn't seem to work very well over routers. This setup also only works
well if your users do not sign into multiple devices. It will work with
multiple devices, but the logs look strange. It has problems if you
authenticate
into multiple domains at the same time, and will use the authority of
whichever
domain you last authenticated into. If you have Terminal Service users or
Citrix,
then you have to use one of the authenticated proxy server versions of
Surfcontrol
to get user name mapping to work with these users.
Over all, it works pretty well.
www.websense.com has a simular product.
>>I wanted to avoid having to have everyone authenticate when only a few
will
>>be blocked.
If you are depending on your users to authenticate so they can be blocked,
then
you will have a failed policy. So user based rules wouldn't make sense
here.
If you are only blocking 2 workstations, then do the DHCP reservation
thing -
give them unique IP addresses. Say your normal is
192.168.0.50-192.168.0-200,
then you would reserve these 2 statations with 192.168.0.240 and .241. In
the
firewall rules, block all traffic coming from these two IP addresses.
Someone else mentioned this earlier. Also, you will probably want to ping
these two
devices each day to make sure they are still being blocked. If M$, then an
nbtstat -A 192.168.0.241 would be better (note the uppercase A)
http://www.primeinc.com
**********************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email
in error please reply to the sender of the message.
The views expressed in this correspondence may not
reflect the views of Prime, Inc.
This footnote also confirms that this email message has
been scanned for the presence of computer viruses.
**********************************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
