Explanation:
User Authentication
User authentication provides native, in-band authentication of HTTP, FTP, TELNET, and RLOGIN connections. The VPN-1/FireWall-1 enforcement module provides security servers for each of these protocols, which are application-layer daemons that can both emulate server-side connections from a client (for the purposes of challenging the client for authentication information) and spawn client-side connections to a server, on behalf of other clients (after successful authentication). When user authentication is configured for a rule, connection requests that match the rule are intercepted and forwarded to the appropriate security server. For example, when an HTTP request is sent from a client to a destination web server, the enforcement module intercepts the request and passes it to the HTTP security server, which establishes an HTTP connection with the client (the client thinks that it has established a connection with the destination web server). The HTTP security server then challenges the client for authentication details. The client returns authentication information, which is authenticated by the authentication scheme defined for the user object that matches the username supplied by the client. Once authentication is successful, the security server establishes a new connection to the destination web server, and passes back to the source any HTTP traffic from the destination. All subsequent traffic is passed over two connections-one from the web client to the security server and the second from the security server to the web server.

---