Proxy User Authentication
The FTP and Telnet proxies of SunScreen provide the ability to restrict access to users who can verify their authenticity.
User authentication mechanisms of SunScreen are described in detail in Chapter 9, Authentication. In this section, the discussion is prefaced by notes that pertain especially to how these user mechanisms are employed by the proxies.
The goals of user authentication within a proxy are to:
A side-effect of establishing an authentic user is a collateral mapping to a backend user identity. This identity is a string that is supplied (by the FTP proxy) as the user of the backend server (for example, a user's userid on Solaris).
The second goal is achieved by the rule matching steps previously described. A rule that references the authentic proxy user itself, or that references a GROUP proxy user that contains an ENABLED member reference to that authentic proxy user, causes a successful user match.
Proxy Limitations
Proxy implementation has the following limitations:
-
Proxies can only be used on Screens with at least one routing-mode interface.
-
You cannot use proxies on Screens in an HA cluster.
Save Is Not Required With Certain Common Objects
The following common objects that appear in the administration GUI are automatically saved when they are edited or new objects are added:
-
Authorized user
-
Administrative user
-
Proxy user
-
Jar hash
-
Jar signature
You do not need to save these objects. Once these objects are added or edited, the change applies immediately and cannot be reversed. The Save button in the administration GUI is greyed out to show that it is inactive.
Note -
Although the changes made to these objects are saved immediately, they do not take effect until a policy is activated. The administration GUI edits authorized users, which are authuser objects; administrative users, which are adminuser objects; or proxy users, which are proxyuser objects; and Java archive (Jar) hashes and Jar signatures.
- © 2010, Oracle Corporation and/or its affiliates