Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Mar 02, 2016

Explicit proxy and client NTLM

Hi,

 

I am pretty sure it is easy and possible but can't figure out how. I have user logged to domain, explicit proxy is configured on LTM, user browser is pointed to proxy IP. I would like to avoid separate login when first time accessing proxy.

 

I tried to set it up based on article about client NTLM but it fails, so I think it's a bit different for proxy than for accessing directly some sites.

 

In Access Profile (type SWG-Explicit) there is option to choose NTLM Auth configuration created before (option NTLM Auth Configuration). I did that, now there is question what to choose for User Identification Method - if i can recall options are htto (maybe IP) or credentials - or it is not important in case of explicit proxy?

 

What should be placed in Access Policy? First 407 response then NTLM Auth Result, then for successful Allow?

 

I wonder if in this case assigning eca profile (and iRule enabling it) to the VS configured as explicit proxy is necessary - I suspect that probably not, and doing so could be main issue? That step was in Configuring APM Client Side NTLM Authentication but is that necessary for proxy?

 

Piotr

 

access policy
APM
devops
explicit proxy
ntlm client
Secure Web Gateway
security

5 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Mar 02, 2016

    It's a bit confusing, but all you need to do is start policy with NTLM Auth result when you use NTLM as the authentication mechanism - no 407 VPE actions needed. Only Kerberos and Basic need 407 action box - NTLM implements it behind the scenes.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Mar 02, 2016
      Hi, Thanks, I will try tomorrow - hope it will work :-) Piotr
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Mar 02, 2016

    It's a bit confusing, but all you need to do is start policy with NTLM Auth result when you use NTLM as the authentication mechanism - no 407 VPE actions needed. Only Kerberos and Basic need 407 action box - NTLM implements it behind the scenes.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Mar 02, 2016
      Hi, Thanks, I will try tomorrow - hope it will work :-) Piotr
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Mar 03, 2016

    Hi,

     

    Unfortunately I can't make it work. I have all machine and NTLN Auth configured - seems to be working for me. Machine account created, NTML Auth Configuration with correct data. When it's updated I can see in Wireshark communication with AD server looking like successful verification of account configured as machine account.

     

    I have explicit proxy VSs configured - they are working OK when Access Profile with Basic authentication is used.

     

    When Access Profile that should use NTLM is assigned to those VSs I have no luck in accessing any page. Looking at http communication on the client computer (user logged to domain) there are two 407 responses, transaction looks like that:

     

    • first GET for external site
    • HTTP/1.1 407 Proxy Authentication Required
    • GET with NTLMSSP_CHALLENGE
    • HTTP/1.1 407 Proxy Authentication Required
    • GET with NTLMSSP_AUTH, User: TEST\user - it's the same as user logged into computer
    • HTTP/1.0 302 Found, Server: BigIP, Location: /my.logout.php3?errorcode=22

    I can't see any trace of user session in Manage Sessions, there are no entries in Access Policy >> Event Logs >> Access System Logs All Session report (logging profile has debug set for all categories in Access System Logs). I am not sure if same messages are logged in /var/log/apm - here nothing as well. In Wireshark on AD I can see DCERPC request and response - but don't know NTLM protocol so good to figure out if it's success or not.

     

    My Access Profile is set to:

     

    • Profile Type: SWG-Explicit
    • User Identification Method: tried both IP and Credentials
    • NTLM Auth Configuration: my configuration

    Access Policy looks like on screen:

     

     

    I tried one with HTTP 407 Response set to negotiate, and NTLM Auth Result attached to negotiate branch.

     

    On the client side http exchange seems to be identical no matter what options I use.