I have been looking at using the UAC IC controllers to do user authentication for resources protected by a ScreenOS firewall policy. My understanding is that the source IP is used as part of the auth table mapping that is created and pushed to the ScreenOS firewall by the IC controller.
My question is, if I have multiple users behind a NAT device that all initiate connections from the same source IP from the perspective of the ScreenOS, are we able to identify these users individually? Is the auth table entry that is created for the first user that gets authorised by the resource policies on the IC controller, able to be used by subsequent unauthenticated/unauthorised users behind the same IP? Or can we somehow uniquely identify users, even though they will all come from the same source IP?
Thanks for your responses.
The IC supports the use of IPsec tunnels through NAT devices to allow users access to protected resources.
In a NAT environment, a virtual IP address must be used for the IPsec tunnelÍs inner address.
Also note that the endpoints must be located on one side of the NAT devices, and both the IC Series device and Infranet Enforcer must be located on the other side of the devices.
NAT is not supported between the IC Series device and Infranet Enforcer, If there is a NAT device between the endpoint and the IC Series device, but not between the endpoint and the Infranet Enforcer, source IP enforcement does not work. This is also true if there is a NAT device between the endpoint and the Infranet Enforcer, but not between the endpoint and the IC Series device._
If we have the following situation:
Juniper SSG140 with "VFX" zone and a Trust zone. VFX and Trust networks privately addressed.
"VFX" zone has an IPSEC VPN termination device (not Juniper)
The IPSEC VPN termination device has an interface which connects into the VFX network and an interface which is
connected directly onto the Internet for IPSEC clients to be able to connect.
Trust zone has an application server that home users need to connect to.
Users sitting at home VPN into the IPSEC termination device over the Internet. Users then make requests to connect to the application server sitting behind the Juniper on the Trust zone. The user traffic is decrypted and sent on by the VPN device. The juniper sees the traffic as originating from the VPN device on the VFX zone, regardless of how many users connect.
If we use an IC controller to authenticate the traffic coming from the VPN device on the VFX zone and destined for the application server on the Trust zone, is it impossible to differentiate different user sessions as they all appear to come from one source IP?