Reverse Proxy: Authentication Offloading like TMG
will there be a feature like Authentication / captive portal (e.g. the proxy settings"transparent with authentication" ) for enabling a reverse proxy?
This would be so usfull for small installations with no frontend exchange / DMZ.
(juniper calls this "webauth" )
Many companys need a new solution that can replace the Microsoft TMG because this Firewall and reverse Proxy solution is discontinued. For secure Publishing, companys needs pre authentication and authentication delegation Features. The possibility to iplement a certificate based or two factor authentication on a formbased authentication form is also a missing Feature.
It would be nice to have Form based authentication as Microsoft ISA or FTMG has. Means an authentication on the Astaro against the AD (SSO) and then store the Information so that Users do not have to authenticate twice if they hit different Web Servers from outside.
Squid has that functionality, i am suprised that Sophos has not implemented it.
Authentication against AD for access to WEB server
We are hard at work on this feature and will deliver the first implementation of front end authentication as part of our Web Server protection (reverse proxy) in UTM 9.2. The public beta will begin in October. Stay Tuned!
Unfortunately the UTM 9.2 only has the option for Basic Authentication to the Real webserver. You really need to support Kerberos and even Kerberos Constrained Delegation to accomodate a wide range of Microsoft Implementations.
2-factor Forms based auth would be nice - ie. AD creds & radius lookup for RSA token (the citrix access gateway can do this)
I too would like to see forms based authentication on the UTM. It would be nice to have users authenticated before entering the network for sites like SharePoint.
Aaron Bugal commented
Given the demise of ISA and TMG; many organisations are using Forms Based Authentication over SSL provided by the TMG to the world. Once a user is authenticated to a backend (typically AD), an SSO action is performed against the Exchange Client Access Service; presenting au authenticated Outlook Web Access session.
Currently, with the Sophos WAF, we simply publish the CAS; however, the issue is that in some cases SSL certificates are NOT used, as the TMG only requires SSL from external and then internally requests OWA content via HTTP.
As such, our current implementation requires those customers to configure the IIS server sustaining the OWA/CAS system with an SSL certificate that is publically verifiable.
Tim Bauer commented
Would love to see this! If you implement a working solution, which will publish a captive portal using ldap for auth and redirects the credentials directly to the Outlook Web Access (standardauth), you could be the only real alternative for microsofts TMG. There is no solution out there, which handles the owa auth that well.... we have many customers asking for this.
I woud love to see this feature to be implemented ASAP.
I hope the next version will have it.
christian kueppers commented
Would be a great idea.
Ludovic Peny commented
This feature can also be a good workaround for HTTP resources we would like to publish in the HTML5 portal but that are limited to 1 user (and we don't want to define x times the same resource).
this feauture is very important, we have many requests for searching a tmg alternative especially owa publishing and controll access for different user groups.
how many votes needed to force this request ?
Gert, how many votes needed for this feature?
Martin Herbert commented
Please as soon as possible!! That would be a great feature for the ReverseProxy. Citrix calls it AccessGateway..
hi Gert (@ Astaro), any further progress on this. We are planning to implement a web based CRM/ERP I would like to protect in addition... thx
Please as soon as possible! That would be a great feature.
Christian Bahn commented
Please earlier! That would be a greate feature!
I 2nd this, I would love to expose a few internal web sites to my users OUTSIDE of my network. Having AD Authentication for the Web Application module would be perfect. Our old Novell iChain had this feature, it was very nice.
Scott Klassen commented
Do you mean WebAdmin? This already exists. You can set access to admin by user or groups, which can be setup as linked to backend (AD) accounts or groups.
We need this feature as soon as posible!
An authentication portal is the only missing feature that keeps us from offering OWA via Internet... It would be a great thing!
rf from shl commented
For an easier implementation of Outlook Web Access (OWA) it is a must!
We' ve got actual 3 costumers, who needs this feature .
The new reverse proxy feature is great to protect public webservers. To really protect company-insides (OWA, CRM,..) a captive portal with a dedicated authentication (backend e.g. LDAP, SSO, AAA (RSA)...) is a must. Without this, ISA servers and oder similar products would still be required.