Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Monitor Authenticating proxy

I am trying to monitor health on a pair of Clearswift SWG appliances by connecting to external websites.

I have set up an HTTP monitor sending 'get http://www.bbc.co.uk/ http/1.1\r\n\r\n' and if I use a receive string of 407 the monitor works. This suggests the proxy is returning 407 Authentication required as expected.

If I add Username and Password to the monitor, it still works with a return string of 407, but not with 200. This suggests that the monitor isn't passing the authentication through to the Clearswift proxy.

Can anyone point me in the right direction for a simple HTTP health monitor through an authenticating proxy

Thanks

Steve

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

he proxy is telling you that it need the Proxy-Authenticate header. You are going to have to create a customer HTTP monitor, easy way to do this is with curl. If you create a proxy request with curl and use the -v it will out put the HTTP request. You can recreate it request in the HTTP monitor quite easily.

1
Comments on this Answer
Comment made 28-Nov-2013 by Steve A 57
That got it. Thanks Steve
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am also looking for same kind of configuration. please post the configuration if you have implemented this.

Thanks in advance.

Kunal B.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Use curl as suggested by Richard to get the authentication token string. Then create an http monitor with send and receive strings similar to below.

Send String

GET HTTP://www.xxx.co.uk/ HTTP/1.1\r\nProxy-Authorization: Basic String from Curl Test\r\nHost: www.xxx.co.uk\r\nAccept: /\r\nProxy-Connection: Close\r\nConnection: Close\r\n\r\n

Receive string

HTTP/1.1 200 OK

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks for the reply Steve.

Can you please explain in details, I am getting below http response from server,

< HTTP/1.1 407 Proxy Authentication Required

< Proxy-Authenticate: NEGOTIATE

< Proxy-Authenticate: NTLM

< Proxy-Authenticate: BASIC realm="IWA_Direct"

< Cache-Control: no-cache

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Proxy-Connection: close

< Set-Cookie: BCSI-CS-7d06572a9586553b=2; Path=/

< Connection: close

< Content-Length: 3500

Also Please confirm do I need to put Username and password also ?

Kunal B

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

the Curl command should look something like:

curl www.microsoft.com --http1.1 --proxy-ntlm --proxy-user : --proxy http://: -v > .\out.txt

You could use proxy-basic instead of proxy-ntlm depending on auth cversions available

I also created an AD user to authenticate as, which had no permissions on the network except for access to the internet via the proxy, with no password expiry.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Steve for the reply, I have tried curl as below,

curl http://www.google.com --proxy 89.2.43.110:80 -U r7b:test --proxy-ntlm -v

And found below reply, About to connect() to proxy 89.2.43.110 port 80 (#0) * Trying 89.2.43.110... connected * Connected to 89.2.43.110 (89.2.43.110) port 80 (#0) * Proxy auth using NTLM with user 'r7b'

GET http://www.google.com HTTP/1.1

Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=

User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5

Host: www.google.com

Accept: /

Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required

< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAACQAJADgAAAAGgokAkREv22yFgKEAAAAAAAAAAIQAhABBAAAABQCTCAAAAA9NR1JPVVBORVQCABIATQBHAFIATwBVAFAATgBFAFQAAQAUAEYARABZAEkATgBFAFQAQgBDADEABAAaAE0ARwBSAE8AVQBQAE4ARQBUAC4AQwBPAE0AAwAwAGYAZAB5AGkAbgBlAHQAYgBjADEALgBtAGcAcgBvAHUAcABuAGUAdAAuAGMAbwBtAAAAAAA=

< Cache-Control: no-cache

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Proxy-Connection: Keep-Alive

< Set-Cookie: BCSI-CS-7d06572a9586553b=2; Path=/

< Connection: Keep-Alive

< Content-Length: 3519

<

  • Ignoring the response-body
  • Connection #0 to host 89.2.43.110 left intact
  • Issue another request to this URL: 'http://www.google.com'
  • Re-using existing connection! (#0) with host 89.2.43.110
  • Connected to 89.2.43.110 (89.2.43.110) port 80 (#0)
  • Proxy auth using NTLM with user 'r7b'

GET http://www.google.com HTTP/1.1

Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAAAwADAHAAAAAHAAcAcwAAAAAAAAAAAAAABoKJALAR3vHczABkAAAAAAAAAAAAAAAAAAAAAN/jh1Ml/PxUuQAlpK1a3QDWqts1zSHtiHI3YkZEWUxCMTA=

User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5

Host: www.google.com

Accept: /

Proxy-Connection: Keep-Alive

< HTTP/1.1 200 OK

< Date: Thu, 05 Dec 2013 11:27:00 GMT

< Expires: -1

< Cache-Control: private, max-age=0

< Content-Type: text/html; charset=ISO-8859-1

< P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

< Server: gws

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< Alternate-Protocol: 80:quic

< Transfer-Encoding: chunked

< Proxy-Connection: Keep-Alive

< Connection: Keep-Alive

< Set-Cookie: PREF=ID=1442564a06c7befc:FF=0:TM=1386242820:LM=1386242820:S=uEG4ulBH4lbFPP8I; expires=Sat, 05-Dec-2015 11:27:00 GMT; path=/; domain=.google.com

< Set-Cookie: NID=67=mRO5WVD-coHnV6hm7SyyetuTapMZ04xB0_C1lTMT5yRlgKMI1nj_JohiIbFGm_c_eRskjfxeIccejtMzBm99QsxbrZw76pPMHRhnS5qJA859esiqFeHlQ88QBVvd0q_s; expires=Fri, 06-Jun-2014 11:27:00 GMT; path=/; domain=.google.com; HttpOnly

Based on the curl output I have modified monitor with Proxy authorization parameter below is get string,

"GET HTTP://www.google.com/ HTTP/1.1\r\nProxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= \r\nHost: www.google.com\r\nAccept: /\r\nProxy-Connection: Close\r\nConnection: Close\r\n\r\n"

but still Pool members are showing down.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello! I'm have the same problem. Is there any solution?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Did anyone find a solution here?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have gotten this to work myself.

It is because the HTTP monitor relies on receiving a "401 Authenticate" message from the initial BASIC auth request to kick in the NTLM negotiation.

Because proxies respond with a "407 Proxy Authenticate" instead of a 401, the monitor doesn't work.

So I wrote the following external monitor: https://devcentral.f5.com/codeshare/ntlm-authenticated-proxy-external-monitor-1013

0