Thanks for your response. In item 2, you discuss using LDAP-S and indicate that this will "secure communications between the security appliance and the LDAP server". What about securing the communications from the Web Server to the Securit appliance? If that communication is not secured, would it not be possible if our DMZ had been compromised to read the Authentication traffic from the security appliance to the Web Server?

Hi Melton,

PIX Firewall version 6.3 introduces a secured method to exchange usernames and passwords between a web client and a PIX Firewall. This version uses HTTP over the Secure Socket Layer (SSL) (HTTPS). HTTPS encrypts the username and password, and makes the transmission secure.

When you authenticated a web browser using a AAA server on earlier versions of PIX Firewall, the username and password were obtained from the HTTP client in clear text.

Add this keyword to the aaa command to enable this feature:

pix(config)#aaa authentication secure-http-client

The keyword secure-http-client enables this feature so the username and password are exchanged securely between HTTP clients and the PIX Firewall.

You must configure AAA authentication and issue this command in order to enable this feature:

pix(config)#aaa authentication include authen_service if_name 0 0 0 0

See the Configure AAA in PIX section for the syntax of this command.

This feature also supports authentication of clients that access secure (HTTPS) websites.

Note: When you enable AAA authentication, secure-http-client is not required to authenticate HTTPS sessions.

Regards,

~JG

Do rate helpful posts

If Kerberos is used, is the authentication method encrypted when it leaves the Web Server on the DMZ interface of the security appliance and travels ingress on the inside interface of the security appliance to the Domain Controller?