Appendix B Quick Start Procedures

This section contains cookbook-style instructions for setting up the following:

• Telnet proxy service with and without proxy user authentication

• FTP proxy service with and without proxy user authentication

• HTTP proxy service

• SMTP proxy service

• Configuring RADIUS Authentication

• Telnet and FTP proxy service with RADIUS user authentication

• SecurID clients supported by SunScreen

• Telnet and FTP proxy service with SecurID user authentication

Telnet Proxy Service Without Proxy User Authentication

The following information is used in this example:

Proxy user name

pu1

Authorized user name

none

Authorized user password

none

Backend user name

bu1

Backend Telnet server name

telnet_server

SunScreen proxy name

sunscreen_fw

Client machine name

tiny

To Set Up the SunScreen Environment

1. Add an entry in the /etc/hosts file if it is accessible, for example:

   1.2.3.4 telnet_server

2. Type the following to make sure the backend Telnet server is accessible:

   ping -s telnet_server

To Configure the Telnet Proxy Service

There is no need to create an authorized user.

1. Create the proxy user:

   1. In the Common Objects section, select Proxy User from the Type list.

   2. Select New Single from the Add New list.

      The Proxy User dialog box appears.

   3. Type a name for this Proxy User in the Name field, for example:

      pu1

   4. Select the User Enabled check box.

   5. Leave the Authorized User Name field empty.

   6. Type a name in the Backend User Name field, for example:

      bu1

   7. Click the OK button.

2. Create a Policy Rule.

   1. Click the Add New button in the Policy Rules area of the Policy Rules page.

      The Rule Definition dialog box appears.

   2. Select the following values for each field as follows by clicking the down arrow to display the list:

      Service

      telnet

      Source Address

      *

      Destination Address

      *

      Action

      ALLOW

      PROXY list

      PROXY_TELNET

3. Save the changes:

   1. Click the Verify Policy button.

   2. Click the Save Changes button.

4. Test the Telnet Proxy Service

   From the client machine:

   1. Make sure the physical connections are good.

   2. Make sure the client machine can access the SunScreen proxy:

      ping -s sunscreen_fw

   3. Test the Telnet proxy service:

      Command issued

      telnet sunscreen_fw

      Username@Hostname

      pu1@telnet_server

      Password

      Press the Return key

      tiny# telnet sunscreen_fw Trying 70.70.70.1... Connected to sunscreen_fw. Escape character is "^]". SunScreen Telnet Proxy Version 3.2 Username@Hostname: pu1@telnet_server Password: <press return> Trying telnet_server (1.2.3.4) ... Connected to telnet_server SunOS 5.6 login: bu1 Password: bu1_pw

Telnet Proxy Service With Proxy User Authentication

The following information is used in this example:

Proxy user name

pu1

Authorized user name

au1

Authorized user password

au1_pw

Backend user name

bu1

Backend Telnet server name

telnet_server

SunScreen proxy name

sunscreen_fw

Client machine name

tiny

To Set Up the SunScreen Environment

1. Type the following to make sure the backend Telnet Server is accessible:

   # ping -s telnet_server

2. Add an entry in the /etc/hosts file if it is accessible. For example:

   1.2.3.4 telnet_server

To Configure the Telnet Proxy Service

1. Create an authorized user:

   1. In the Common Objects section, select Authorized User from the Type list.

   2. Select New from the Add New list.

      The Authorized User dialog box appears.

   3. Type a name for this authorized user in the Name field, for example:

      au1

   4. Select the User Enabled check box.

   5. Type the password:

      au1_pw

   6. Select the Enabled check box after the Password field.

   7. Retype the password:

      au1_pw

   8. Click the OK button.

2. Create the Proxy User:

   1. In the Common Objects section, select Proxy User from the Type list.

   2. Select New from the Add New list.

      The Proxy User dialog box appears.

   3. Type a name for this Proxy User in the Name field, for example:

      pu1

   4. Select the User Enabled check box.

   5. Type the following in the Authorized User Name field:

      au1

   6. Type a name in the Backend User Name field, for example:

      bu1

   7. Click the OK button.

3. Create a Policy Rule:

   1. Click the Add New button in the Policy Rules area of the Policy Rules page.

      The Rule Definition dialog box appears.

   2. Select the following values for each field:

      Service

      telnet

      Source Address

      *

      Destination Address

      *

      Action

      ALLOW

      PROXY list

      PROXY_TELNET

   3. Click the OK button.

4. Save the changes:

   1. Click the Verify Policy button.

   2. Click the Save Changes button.

5. Test the Telnet Proxy Service

   From the client machine:

   1. Make sure the physical connections are good.

   2. Make sure the client machine can access the SunScreen proxy:

      ping -s sunscreen_fw

   3. Test the Telnet proxy service:

      Command issued	telnet sunscreen_fw
      Username	pu1@telnet_server
      Password	au1's password, for example, au1-pw. (Password is not seen because it is echo suppressed.)

      tiny# telnet sunscreen_fw Trying 70.70.70.1... Connected to sunscreen_fw. Escape character is "^]". SunScreen Telnet Proxy Version 3.2 Username@Hostname: pu1@telnet_server Password: au1_pw Trying telnet_server (1.2.3.4) ... Connected to telnet_server SunOS 5.6 login: bu1 Password: au1_pw

FTP Proxy Service Without Proxy User Authentication

The following information is used in this example:

Proxy user name

pu1

Authorized user name

none

Authorized user password

none

Backend user name

bu1

Backend user password

bu1_pw

Backend FTP server name

ftp_server

SunScreen proxy server name

sunscreen_fw

Client machine name

tiny

To Set Up the SunScreen Environment

The ping command must be enabled in the Rules page before you can perform the following procedure.

1. Type the following to make sure the backend FTP Server is accessible:

   ping -s ftp_server

2. Add an entry in the /etc/hosts file if it is accessible. For example:

   1.2.3.4 ftp_server

To Configure the FTP Proxy Service

There is no need to create an authorized user.

1. Create the proxy user:

   1. In the Common Objects section, select Proxy User from the Type list.

   2. Select New Single from the Add New list.

      The Proxy User dialog box appears.

   3. Type a name for this Proxy User in the Name field, for example:

      pu1

   4. Select the User Enabled check box.

   5. Leave the Authorized User Name field empty.

   6. Type a name in the Backend User Name field, for example:

      bu1

   7. Click the OK button.

2. Create a Policy Rule

   1. Click the Add New button in the Policy Rules area of the Policy Rules page.

      The Rule Definition dialog box appears.

   2. Select the following values for each field:

      Service

      proxy_ftp

      Source Address

      *

      Destination Address

      *

      Select Action

      ALLOW

   3. From the PROXY list, select PROXY_FTP.

   4. Enable the FTP command options, for example:

      GET

      ALLOW

      CHDIR

      ALLOW

      PROXY USERS

      pu1

   5. Click the OK button.

3. Save the changes:

   1. Click the Verify Policy button.

   2. Click the Save Changes button.

To Test the FTP Proxy Service

From the client machine:

1. Make sure the physical connections are good.

2. Use the ping command to make sure the client machine can access the SunScreen proxy:

   # ping -s sunscreen_fw

   ---

   Note -

   The ping command must be enabled in the Rules page before you can perform this procedure.

   ---

3. Test the FTP proxy service.

   For example, the following values produce the screen output in Example C-1:

   Command issued

   ftp sunscreen_fw

   User name

   pu1@ftp_server

   Password

   put_anything@bu1_pw OR:<none>@bu1_pw For example, zzz@bu1_pwPassword is not seen because it is echo suppressed.

   ---

   Example B-1 Screen Output

   
   

   tiny# ftp sunscreen_fw Connected to sunscreen_fw. 220- Proxy: SunScreen FTP Proxy Version 3.2 : Username to be given as <proxy-user>'@'<FTP-server-host> : Password to be given as <proxy-password>'@'<FTP-server-password> 220 Ready. Name (sunscreen_fw: root): pu1@ftp_server 331- Proxy: Authenticate & connect: 331 Password needed to authenticate 'pu1'. Password: <zzz@bu1_pw> OR Password: <@bu1_pw> 230- Proxy: : Authentication mapped 'pu1' to backend user 'bu1'. : Connecting to ftp_server (1.2.3.4) - done. Server: 220 ftp_server FTP server (SunOS 5.6) ready. Proxy: Login on server as 'bu1'. Server: 331 Password required for bu1. Proxy: Supplying password to server. 230 Server: User bu1 logged in. ftp> ls

   ---

FTP Proxy Service With Proxy User Authentication

The following information is used in this example:

Proxy user name

pu1

Authorized user name

au1

Authorized user password

au1_pw

Backend user name

bu1

Backend user password

bu1_pw

Backend FTP server name

ftp_server

SunScreen proxy server name

sunscreen_fw

Client machine name

tiny

To Set Up the SunScreen Environment

1. Use the ping command to make sure the backend FTP Server is accessible:

   ping -s ftp_server

2. Add an entry in the /etc/hosts file if it is accessible. For example:

   1.2.3.4 ftp_server

To Configure the FTP Proxy Service

1. Create the authorized user:

   1. In the Common Objects section, select Authorized User from the Type list.

   2. Select New from the Add New list.

      The Authorized User dialog box appears.

   3. Type a name for this authorized user in the Name field, for example:

      au1

   4. Select the User Enabled check box.

   5. Type the password:

      au1_pw

   6. Select the Enabled check box after the Password field.

   7. Retype the password:

      au1_pw

   8. Click the OK button.

2. Create a Proxy User:

   1. In the Common Objects section, select Proxy User from the Type list.

   2. Select New from the Add New list.

      The Proxy User dialog box appears.

   3. Type a name for this Proxy User in the Name field, for example:

      pu1

   4. Select the User Enabled check box.

   5. Type a name in the Authorized User Name field:

      au1

   6. Type a name in the Backend User Name field, for example:

      bu1

   7. Click the OK button.

3. Create a Policy Rule:

   1. Click the Add New button in the Policy Rules area of the Policy Rules page.

      The Rule Definition dialog box appears.

   2. Select the following values for each field:

      Service

      ftp

      Source Address

      *

      Destination Address

      *

      Action

      ALLOW

      PROXY list

      PROXY_FTP

   3. Enable the FTP command options, for example:

      GET

      ALLOW

      CHDIR

      ALLOW

      PROXY USERS

      pu1

4. Click the OK button.

5. Save the changes:

   1. Click the Verify Policy button.

   2. Click the Save Changes button.

6. Test the FTP Proxy Service

   From the client machine:

   1. Make sure the physical connections are good.

   2. Make sure the client machine can access the SunScreen proxy:

      # ping -s sunscreen_fw

   3. Test the FTP proxy service:

      Command issued	ftp sunscreen_fw
      Username	pu1@ftp_server
      Password	For example, au1_pw@bu1_pw (Password is not seen because it is echo suppressed.)

      ---

      Example B-2 Screen Output

      
      

      tiny# ftp sunscreen_fw Connected to sunscreen_fw. 220- Proxy: SunScreen FTP Proxy Version 3.2 : Username to be given as <proxy-user>'@'<FTP-server-host> : Password to be given as <proxy-password>'@'<FTP-server-password> 220 Ready. Name (sunscreen_fw: root): pu1@ftp_server 331- Proxy: Authenticate & connect: 331 Password needed to authenticate 'pu1'. Password: <au1_pw@bu1_pw> 230- Proxy: : Authentication mapped 'pu1' to backend user 'bu1'. : Connecting to ftp_server (1.2.3.4) - done. Server: 220 ftp_server FTP server (SunOS 5.6) ready. Proxy: Login on server as 'bu1'. Server: 331 Password required for bu1. Proxy: Supplying password to server. 230 Server: User bu1 logged in. ftp> ls

      ---

HTTP Proxy Service

User authentication does not apply.

The following information is used in this example:

Backend HTTP Server name

gobaby

Backend HTTP Server URL

gobaby/Sun.Net

SunScreen proxy name

sunscreen_fw

Client machine name

tiny

To Set Up the SunScreen Environment

1. Disable the HTTP daemon (for example, httpd), if it is running.

2. Type the following to make sure the backend HTTP Server is accessible:

   ping -s gobaby

3. Add an entry in the /etc/hosts file if it is accessible. For example:

   1.2.3.4 gobaby

To Configure the HTTP Proxy Service

1. Create the Proxy User:

   1. In the Common Objects section, select Proxy User from the Type list.

   2. Select New from the Add New list.

      The Proxy User dialog box appears.

   3. Type a name for this Proxy User in the Name field, for example:

      pu1

   4. Leave the Authorized User Name field blank.

   5. Leave the Backend User Name blank.

   6. Click the OK button.

2. Create a Policy Rule:

   1. Click the Add New button in the Policy Rules area of the Policy Rules page.

      The Rule Definition dialog box appears.

   2. Select the following values for each field:

      Service

      http

      Source address

      *

      Destination address

      *

      Action

      ALLOW

      PROXY list

      PROXY_HTTP

      Cookies, ActiveX, Java, and SSL

      ALLOW/DENY

   3. Click the OK button.

3. Save the changes:

   1. Click the Verify Policy button.

   2. Click the Save Changes button.

4. Test the HTTP Proxy service

   From the client machine:

   1. Make sure the physical connections are good.

   2. Make sure the client machine can access the SunScreen proxy:

      ping -s sunscreen_fw

   3. Configure the browser to use the HTTP proxy:

      HTTP Proxy

      sunscreen_fw

      Port

      80

   4. Type the following URL:

      http://gobaby/Sun.Net

The screen output appears on the web page.

SMTP Proxy Service

User authentication does not apply.

To Set Up the SunScreen Environment

1. Configure addresses and rules for DNS servers and address(es) for SMTP server(s) as follows:

   ssadm edit Initial edit> add Address dns0 HOST 1.2.3.4 edit> add Address dns1 HOST 1.2.3.5 edit> add Address dns-servers GROUP { dns0 dns1 } { } edit> add Address smtp-server HOST ... edit> add Rule dns localhost dns-servers ALLOW

2. Test spam filtering.

   The rule below allows any address to all inbound mailboxes, no relay checking.

   edit> add Rule smtp "*" smtp-server ALLOW PROXY_SMTP RELAY edit> save

3. Type the following to create a basic mail spam list (list of domains and/or addresses which won't be allowed to send mail):

   ssadm edit Initial mail_spam add spam.com ssadm edit Initial mail_spam add 0.0.0.0..255.255.255.255

   ---

   Note -

   For more information on spam control, see "SMTP Proxy" in SunScreen 3.2 Administrator's Overview.

   ---

4. Type the following to activate the configuration:

   ssadm activate Initial

   This refuses mail from any named host in spam.com, any host that has an unregistered address, and any originator name (in MAIL FROM: command) within spam.com.

Now a connection from an unregistered host, or from a registered host under the domain spam.com, looks like this:

% telnet efs 25
Trying 1.2.3.4...
Connected to efs
Escape character is "^]".
455 Smells like ... bacon ... no, spam!
Connection closed by foreign host.

The reverse-translated name (or lack thereof) has determined the originator is a spammer.

A connection from a registered host not under the domain spam.com looks like this:

% telnet efs 25
Trying 1.2.3.4...
Connected to efs
Escape character is "^]".
220 efs ESMTP Sendmail 8.7.4/8.7.3;
Thu, 11 Mar 1999 19: 34: 40 -0800 (PST)
helo me.com
250 efs Hello me.com [3.4.5.6],
pleased to meet you
mail from: elvis-lives@spam.com
455 Smells like ... bacon ... no, spam!
Connection closed by foreign host.

The connection is aborted because the originating user was determined to be a spammer. elvis-lives@spam.com is an alternate syntax for the mailbox.

To Test Relay Blocking

1. Type the following to replace the previous rule with a rule that checks relaying:

   edit> add Rule smtp "*" smtp-server ALLOW PROXY_SMTP

   This allows only configured domains in inbound mailbox names.

2. Type the following to create a basic mail relay list (a list of domains and/or hosts which will/will not be allowed as recipient):

   ssadm edit Initial mail_relay add good.org ssadm edit Initial mail_relay add !too.good.org ssadm edit Initial mail_relay add !too-mailer ssadm edit Initial mail_relay add plenty.org

   The ! prefix indicates that the domain or host is not to be allowed; if you are using csh, remember to escape the !, which is a shell meta-character.

   Relay processing first compares the recipient domain(s) to those which are NOTs (that is, begin with !); if the recipient is found there, the message is refused.

   Second, the recipient domain(s) are compared to the list of OK domains (that is, without !); if found, the recipient is allowed.

3. Activate the configuration.

   This refuses mail to any mailbox in the subdomain too.good.org or for the host too-mailer, but accepts messages bound for any mailbox in other parts of good.org, or any mailbox in plenty.org (from RCPT TO: command).

   This example shows mail for allowed recipients, ending in one which will not be relayed-to:

   % telnet efs 25 Trying 1.2.3.4... Connected to efs Escape character is "^]". 220 efs ESMTP Sendmail 8.7.4/8.7.3; Thu, 11 Mar 1999 19: 34: 40 -0800 (PST) helo me.com 250 efs Hello me.com [3.4.5.6], pleased to meet you mail from: me@me.com 250 me@me.com... Sender ok rcpt to: <johnny.b@good.org> 250 Recipient ok rcpt to: extra@extra@good.org 250 Recipient ok rcpt to: <chinz@plenty.org> 250 Recipient ok rcpt to: but.not@too.good.org 454 Relay refused Connection closed by foreign host.

   The connection was aborted because the recipient would require a forbidden relay operation.

   Other examples of relay addresses that will not be allowed are:

   • bad1@too-mailer

   • bad2@too-mailer@good.org

   • bad3@too.good.org@good.org

   • @good.org,bad4@too.good.org

   • @too.good.org,bad5@ok.good.org

     ---

     Note -

     The last two bullet items are examples of older, ARPANET-style path naming, and most modern mail transfer agents (MTA), such as sendmail, are not configured to accept them, regardless of whether they pass our relay filtering. Also, mailbox names surrounded by <> are treated as if they there are no <>s.

     ---

4. Test default relay.

   If there is no configured relay list, the domain name of the SunScreen host itself is used as the allowed domain. For example, if the SunScreen name is host@domain.com, the relay checking behaves as if the following command was configured as the entire relay list:

   ssadm edit Initial mail_relay domain.com

   The following example shows mail which actually gets through:

   % telnet efs 25 Trying 1.2.3.4... Connected to efs Escape character is "^]". 220 efs ESMTP Sendmail 8.7.4/8.7.3; Thu, 11 Mar 1999 19: 34: 40 -0800 (PST) helo me.com 250 efs Hello me.com [3.4.5.6], pleased to meet you mail from: me@me.com 250 me@me.com... Sender ok rcpt to: you@good.com 250 Recipient ok rcpt to: really@really.good.org 250 Recipient ok rcpt to: i-got@plenty.org 250 Recipient ok rcpt to: good@and.plenty.org 250 Recipient ok data 354 Enter mail, end with "." on a line by itself Subject: I Love Candy I really, really love good candy ... yummm! Send me some! . 250 UAA01234 Message accepted for delivery quit 221 efs closing connection Connection closed by foreign host.

   After the . (ending the mail session), the proxy and mailer return to the state where the mailer expects a next message (starting with a MAIL FROM: command.

   ---

   Note -

   Backslash \ and end-of-line denote command line continuation.

   ---

Configuring RADIUS Authentication

A typical RADIUS configuration uses two Screens, each of which protects the site. With multiple sites, a given site may use the RADIUS server of another site as a backup.

To Configure RADIUS Authentication

1. Identify the RADIUS servers:

   # ssadm edit Policy edit> vars add prg=auth name=RADIUSServers VALUES={ host=radius_server_name } DESCRIPTION="RADIUS server name(s) or addresses to query"

2. Add the node secret used by the RADIUS protocol to secure traffic between the RADIUS client and server:

   # ssadm edit Policy edit> vars add sys=screen_name prg=auth name=RADIUSNodeSecret VALUE="xxxxxxxx

   Where xxxxxxxx is the RADIUS Node Secret.

3. Add a rule to allow the SunScreen machine to communicate with the RADIUS servers:

   # ssadm edit Policy edit> add rule radius EFS_hostname radius_server_name ALLOW edit> save # ssadm activate Policy

Telnet Proxy Service With RADIUS User Authentication

The following information is used in this example:

Proxy user name

pu1

Authorized user name

au1

Autherized user password

au1_pw

Backend user name

bu1

Backend user password

bu1_pw

Backend Telnet server name

telnet_server

SunScreen proxy server name

sunscreen_fw

To Configure the Telnet Proxy Service With RADIUS User Authentication

1. Follow the steps in the previous section, "Configuring RADIUS Authentication".

2. Add a rule to enable the Telnet Proxy for a pre-defined RADIUS user:

   # ssadm edit Policy edit> Add Rule telnet USER radius ALLOW PROXY_Telnet edit> save # ssadm activate Policy

3. Test the Telnet Proxy with RADIUS authentication:

   Telnet command issued	telnet sunscreen_fw
   Username@Hostname	/radius/bu1@telnet_server
   Password	bu1_radpw

   # telnet sunscreen_fw Username @Hostname: /radius/bu1@telnet_server Password: bu1_radpw

FTP Proxy Service With RADIUS User Authentication

The following information is used in this example:

To Configure the FTP Proxy Service With RADIUS User Authentication

1. Follow the steps in the section above, "Configuring RADIUS Authentication".

2. Configure the FTP Proxy Service:

   1. Create a Proxy user group, for example, ftp-grp.

   2. Add predefined users radius and securid to ftp-grp.

      # ssadm edit Policy > proxyuser add ftp-grp GROUP > proxyuser addmember ftp-grp radius > proxyuser addmember ftp-grp securid

   3. For each user that will be using the FTP Proxy:

      1. Create a record in the Authorized User database.

      2. Create a record in the Proxy User database.

      3. Add the user as member of ftp-grp:

         # ssadm edit Policy > authuser add au1 PASSWORD=\{ au1_pw \} > proxyuser add pu1 auth_user_name=au1 backend_user_name=bu1 > proxyuser addmember ftp-grp pu1

         This example assumes C shell. The backslash \ before the brackets is the escape key from special characters { and }. For Bourne shell, the backslash is not necessary.

         Since there are typically many users to administer, this is a good task to automate with a script.

   4. Add a rule to allow the FTP proxy for the proxy user group, ftp-grp.

      # ssadm edit Policy edit> Add Rule ftp USER ftp-grp ALLOW PROXY_FTP FTP_GET FTP_CHDIR edit> save # ssadm activate Policy

3. Test the FTP Proxy with RADIUS authentication:

   FTP proxy login	ftp sunscreen_fw
   Username@Hostname	bu1@ftp_server
   Password	bu1_radpw@bu1_pw

   # ftp sunscreen_fw Username@Hostname: radius_user@ftp_server Password: radius_user_pw@password_at_ftp_server

SecurID Clients Supported by SunScreen

SunScreen supports two mechanisms for SecurID clients:

Install ACE/Agent 3.3 on each user desktop.

Or:

Install SunScreen SecurID stub client on the SunScreen machine, which supports Solaris 2.6, Solaris 7, and Solaris 8 operating systems, on both SPARC and Intel platforms.

1. As root, install a copy of sdconf.rec from the ACE server after it has been configured to have SunScreen as the ACE client.

2. Type the following in the directory containing sdconf.rec:

   # /usr/lib/sunscreen/lib/securid_stubclient_setup sdconf.rec

The ACE/Agent 3.3 is supported only on the Solaris 2.6 SPARC platform. It replaces the system login module with an ACE login module. When the Ace/Agent 3.3 is installed on each user desktop, ACE accounting will show that the user is authenticated through the user's desktop.

---

Note -

The EFS SecurID stub client supports Solaris 2.6, Solaris 7, and Solaris 8, on both SPARC and Intel platforms. Install it only on the SunScreen EFS firewall. ACE accounting will show that the users are authenticated through the EFS machine.

---

To Configure SecurID Authentication

1. Follow ACE documentation to set up the ACE server and configure SecurID users.

2. Install either ACE/Agent 3.3 on each user desktop or the SunScreen SecurID stub client on the EFS machine.

3. Add a rule to allow the SunScreen machine to communicate with the ACE servers:

   # ssadm edit Policy edit> Add Rule securid EFS_hostname secureid_server_name ALLOW edit> save # ssadm activate Policy

Telnet Proxy Service With SecurID User Authentication

To Set Up the Telnet Proxy Service With SecurID User Authentication

The following information is used in this example:

Proxy user name

pu1

Authorized user name

au1

Authorized user password

au1_pw

Backend user name

bu1

Backend user password

bu1_pw

Backend Telnet server name

telnet_server

SunScreen proxy server name

sunscreen_fw

1. Follow the steps in "To Configure SecurID Authentication".

2. Add a rule to allow telnet proxy for predefined SecurID user:

   # ssadm edit Policy edit> Add Rule telnet USER securid ALLOW PROXY_Telnet edit> save # ssadm activate Policy

3. Test the Telnet Proxy with SecurID Authentication:

   Telnet proxy login command issued	telnet sunscreen_fw
   Username@Hostname	/securid/bu1@telnet_server
   Password	securid_passcode

   # telnet sunscreen_fw Username@Hostname: /securid/bu1@telnet_server Password: securid_passcode

FTP Proxy Service With SecurID User Authentication

To Set Up the FTP Proxy Service With SecurID User Authentication

The following information is used in this example:

Proxy user name

pu1

Authorized user name

au1

Authorized user password

au1_pw

Backend user name

bu1

Badkend user password

bu1_pw

Backend FTP server name

ftp_server

SecurID user name

bu1

SecurID user passcode

securid_passcode

1. Follow the steps in "To Configure SecurID Authentication".

2. Configure the FTP Proxy Service

   1. Create a Proxy user group, for example, ftp-grp.

   2. Add predefined users radius and securid to ftp-grp:

      # ssadm edit Policy > proxyuser add ftp-grp GROUP > proxyuser addmember ftp-grp radius > proxyuser addmember ftp-grp securid

   3. For each user that will be using the FTP Proxy:

      1. Create a record in the Authorized User database.

      2. Create a record in the Proxy User database.

      3. Add user as member of ftp-grp:

         # ssadm edit Policy > authuser add au1 PASSWORD=\{ au1_pw\} > proxyuser add pu1 auth_user_name=au1 backend_user_name=bu1 > proxyuser addmember ftp-grp pu1

         Since there are typically many users to administer, this can be done through a script.

   4. Add a rule to allow FTP proxy for proxy user group ftp-grp:

      # ssadm edit Policy edit> Add Rule ftp USER ftp-grp ALLOW PROXY_FTP FTP_GET FTP_CHDIR edit> save # ssadm activate Policy

3. Test the FTP Proxy with SecurID Authentication:

   FTP proxy login	ftp sunscreen_fw
   Username@Hostname	/securid/bu1@ftp_server
   Password	securid_passcode@bu1_pw

   # ftp sunscreen_fw Username@Hostname: /securid/bu1@ftp_server Password: securid_passcode@bu1_pw