[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


User Authentication Problems

Posted on 2004-10-28
Medium Priority
Last Modified: 2010-04-09
OK This is a bit long to set up the scenerio so here goes.

"The Customer", has a multi-site network spanning the country. All connected via T-1's. Here is the way traffic routes from outside IN.......

Cisco 1720 Router (Basic Point to Point T1) , Cisco PIX Firewall V6.3 with multiple access-lists and statics, Cisco Router 2600 where all the t's come in. This unit is the Primary (Default) Gateway for all clients on the network. From there it spans into a Ready for this (10mb HUB not a switch A HUB) that connects everyone at the main site together.

OK now for traffic going INSIDE to OUT...

Start at the client go to a cisco 2600 (routed either internally or to the PIX) hits the pix and then the PIX authenticates the client  back to a websense Server to allow or not to allow access (ON PORT's 80,21,and 8080)

Now the FUN Part...  Both servers are DC's within the Active Directory "company-name". previously they only had 1 server and before it cratored it's ADDN was "comapnayname" with out the hyphen. They have rolled out well over 70 PC's nationwide that authenticate to "company-name" and the existing 60-100 with "companyname" THe ones with the "companyname" ADDN are mixed 98/XP Machines.  THe ones with "company-name" are mainly XP.

The problem is, that users that try to access the internet with the filtering turned on, are prompted with a username and password when they are not in the "company-name" Domain.  So the first part of the question is this.  HOW CAN I MERGE THE 2 ADDN's TOGETHER WITHOUT TOUCHING EACH AND EVERY "companyname" PC?

Now on to the second part. and i am sure i know the answer to this.BUT  since this whole network is a ROUTED network and doesn't use any other protocols, I am sure the latency to the servers and to the internet are coming from lost packets from the 10mb HUBS....The question on the second part is this, provided that the 10mb HUBs aren't the problem, is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?

And Lastly, does anyone know of a logon script that i can use to change a machines domain status and or workgroup membership? I know the 3rd question kinda contradicts the first but i have to get to the point where they can authenticate before i can use login scripts.

I know this is a bit to decode, so i am starting this one out with 500 points (hope i can go higher)..  

Thanks Experts!!!!!!!
Question by:pperry76
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 12438646
ahhhhhhh hell only 1 part of this pretains to firewall...  sorry guys..  should i repost into WIndows 2000 catagory? or do you think i will get answers here?
LVL 51

Expert Comment

ID: 12448899
AFAIK only by using M$'s trusted relationship

> .. is there better performace  ..
as you describe your network, I assume that you have anything setup as M$ default, means: never touched anything except told to do so, P&P == plug&pay
In other words, I assume that you network's main puporse is to route and deliver a huge amount of useless broadcast packets.
If that's true, you get a much better performance when you simply configure your clients, in particular:
  1. stop any browser broadcast like "I want to be the master browser"
  2. use NetBIOS over TCP instead of SMB

Author Comment

ID: 12462029
so your saying i have to touch each machine to stop the master browser broadcast traffic...  the problem with the trusted relationships is that there is now server in companyname only company-name .....  would utilizing the netbios settings in DHCP help any?  

Maybe that would atleast get me able to run login scripts which takes me to changing of the computers domain via login script part.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 51

Expert Comment

ID: 12462456
> .. i have to touch each machine to stop the master browser broadcast traffic
yes. Or if you have logon scripts you can do it there

> would utilizing the netbios settings in DHCP help any?  
i.g. yes, but I know of some w2k, NT, XP which do not accept settings there proper. You have to check yourself

Author Comment

ID: 12474956
My team and I were able to come up with a solution.

Setup a temp NT 4.0 Server to handle all the clients on the "companyname" domain. We chose NT4 rather than 2003 or 2000 incase the windows nt4 and 9x clients didn't have the active directory connector installed. We will then change each machine via login script or some other means to point to the new "company-name" domain.

----is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?--------------------------------------------------------------------------------------------------------------------
The UDP transport for authentication is better in a large envorment, but the TCP works FINE for less than 200 users.
Websense has the ability to PREPEND the Domain Name of the users as long as they are listed in the Active Directory. So for the clients that are not logging into the "company-name" domain. they recieve a UN&PW box when they attempt to surf a filtered protocol outside the local WAN or LAN.

---------logon script that i can use to change a machines domain status and or workgroup membership?------------------------
We haven't gotten to this part yet.  We have a temp. fix in place now to facilitate what we need. So if anyone knows of a way to do this please leave a post here.--------------------------------------------------------------------------------------------------

Thanks to all for your help

Accepted Solution

CetusMOD earned 0 total points
ID: 15934947
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question