Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 165
  • Last Modified:

User Authentication Problems

OK This is a bit long to set up the scenerio so here goes.

"The Customer", has a multi-site network spanning the country. All connected via T-1's. Here is the way traffic routes from outside IN.......

Cisco 1720 Router (Basic Point to Point T1) , Cisco PIX Firewall V6.3 with multiple access-lists and statics, Cisco Router 2600 where all the t's come in. This unit is the Primary (Default) Gateway for all clients on the network. From there it spans into a Ready for this (10mb HUB not a switch A HUB) that connects everyone at the main site together.

OK now for traffic going INSIDE to OUT...

Start at the client go to a cisco 2600 (routed either internally or to the PIX) hits the pix and then the PIX authenticates the client  back to a websense Server to allow or not to allow access (ON PORT's 80,21,and 8080)

Now the FUN Part...  Both servers are DC's within the Active Directory "company-name". previously they only had 1 server and before it cratored it's ADDN was "comapnayname" with out the hyphen. They have rolled out well over 70 PC's nationwide that authenticate to "company-name" and the existing 60-100 with "companyname" THe ones with the "companyname" ADDN are mixed 98/XP Machines.  THe ones with "company-name" are mainly XP.

The problem is, that users that try to access the internet with the filtering turned on, are prompted with a username and password when they are not in the "company-name" Domain.  So the first part of the question is this.  HOW CAN I MERGE THE 2 ADDN's TOGETHER WITHOUT TOUCHING EACH AND EVERY "companyname" PC?

Now on to the second part. and i am sure i know the answer to this.BUT  since this whole network is a ROUTED network and doesn't use any other protocols, I am sure the latency to the servers and to the internet are coming from lost packets from the 10mb HUBS....The question on the second part is this, provided that the 10mb HUBs aren't the problem, is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?

And Lastly, does anyone know of a logon script that i can use to change a machines domain status and or workgroup membership? I know the 3rd question kinda contradicts the first but i have to get to the point where they can authenticate before i can use login scripts.

I know this is a bit to decode, so i am starting this one out with 500 points (hope i can go higher)..  

Thanks Experts!!!!!!!
0
pperry76
Asked:
pperry76
  • 3
  • 2
1 Solution
 
pperry76Author Commented:
ahhhhhhh hell only 1 part of this pretains to firewall...  sorry guys..  should i repost into WIndows 2000 catagory? or do you think i will get answers here?
0
 
ahoffmannCommented:
> TOGETHER WITHOUT TOUCHING EACH AND EVERY
AFAIK only by using M$'s trusted relationship

> .. is there better performace  ..
as you describe your network, I assume that you have anything setup as M$ default, means: never touched anything except told to do so, P&P == plug&pay
In other words, I assume that you network's main puporse is to route and deliver a huge amount of useless broadcast packets.
If that's true, you get a much better performance when you simply configure your clients, in particular:
  1. stop any browser broadcast like "I want to be the master browser"
  2. use NetBIOS over TCP instead of SMB
0
 
pperry76Author Commented:
so your saying i have to touch each machine to stop the master browser broadcast traffic...  the problem with the trusted relationships is that there is now server in companyname only company-name .....  would utilizing the netbios settings in DHCP help any?  

Maybe that would atleast get me able to run login scripts which takes me to changing of the computers domain via login script part.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
ahoffmannCommented:
> .. i have to touch each machine to stop the master browser broadcast traffic
yes. Or if you have logon scripts you can do it there

> would utilizing the netbios settings in DHCP help any?  
i.g. yes, but I know of some w2k, NT, XP which do not accept settings there proper. You have to check yourself
0
 
pperry76Author Commented:
My team and I were able to come up with a solution.

---HOW CAN I MERGE THE 2 ADDN's TOGETHER WITHOUT TOUCHING EACH AND EVERY "companyname" PC?---
Setup a temp NT 4.0 Server to handle all the clients on the "companyname" domain. We chose NT4 rather than 2003 or 2000 incase the windows nt4 and 9x clients didn't have the active directory connector installed. We will then change each machine via login script or some other means to point to the new "company-name" domain.

----is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?--------------------------------------------------------------------------------------------------------------------
The UDP transport for authentication is better in a large envorment, but the TCP works FINE for less than 200 users.
Websense has the ability to PREPEND the Domain Name of the users as long as they are listed in the Active Directory. So for the clients that are not logging into the "company-name" domain. they recieve a UN&PW box when they attempt to surf a filtered protocol outside the local WAN or LAN.

---------logon script that i can use to change a machines domain status and or workgroup membership?------------------------
We haven't gotten to this part yet.  We have a temp. fix in place now to facilitate what we need. So if anyone knows of a way to do this please leave a post here.--------------------------------------------------------------------------------------------------

Thanks to all for your help
0
 
CetusMODCommented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now