cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 9
‎10-05-2018 07:20 AM

NTLM authentication and HTTPS sites

Jump to solution

Hi!

 

Have 7.8.2.2.0 (26805) WSG.

I configured policy for authentication and authorization my users from AD via NTLM method.

All work fine with HTTP, by dont work with HTTPS (Also I import my root CA to WSG).

I use rules from library.

Also works If i use separately HTTPS Scanning (disable rule for authentication).

 

rules_wsg.jpg

0 Kudos
Reply
1 Solution

Accepted Solutions
aloksard
Employee
Employee
Report Inappropriate Content
Message 7 of 9
‎10-08-2018 12:18 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

I see that you are using WCCP setup which is transparent.

 

NTLM authentication alone will not work with transparent setup as clients are not proxy aware .

I would suggest to use authentication server rule set wherein front end authentication will be Time /Ip based and backend authentication can be used as NTLM.

HTTPS scanning rule should be placed above your Authentication server rule set.

I would also recommend to go through our community article regarding authentication considerations for transparent deloyement .

You can use the authentication Server Ruleset for the transparent deployment.

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Choosing-the-right-Authentication-Method-for-y...

 

 

Regards

Alok Sarda

View solution in original post

Reply
8 Replies
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 9
‎10-05-2018 09:04 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

Hope you are doing well.

what exactly do you mean by not working with HTTPS? Is the user getting authentication pop up while browsing ?

Request you to move your HTTPS Scanning rule set above your authentication rule set and then check .

 

Regards

Alok Sarda

Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 9
‎10-05-2018 10:28 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,
I tested sequence for Auth and HTTPS Scanning rule.
Always I have ssl error in browser and don't have any popup window in IE and Chrome...

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 4 of 9
‎10-05-2018 11:00 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

So putting HTTPS Scanning rule above Authentication rule set still fails.

Is this explicit proxy mode, correct?

Can you share the SSL error screenshot user is receiving?

 

Regards

Alok Sarda

 

 

Reply
Ddulay94
Level 9
Report Inappropriate Content
Message 5 of 9
‎10-05-2018 11:44 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

TLS/SSL Scanning needs to be above Authentication as the usernames are in the encrypted part of the Request Header. 

I would suggest making sure your Local Intranet Zones on your browsers have been updated to allow connections to the proxies  and that your certificates have been properly deployed to the endpoints to trust the proxy. We've had some problems similar to this while deploying via transparent proxy.

Reply
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 9
‎10-08-2018 12:12 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi.

Thank you aloksard and Ddulay94 for quick answers!

 

I moved HTTPS Scanning above Authentication rule.

rules.jpg

I have error in browser:

open_https_site.jpg

My proxy mode is:

proxy_mode.jpg

I load a CA from my certification server and I configure internet security options for low level security.

I want to say again:

- on http NTLM Authentication work properly (windows automatically fills in credentials)

- on https but without NTLM Authentication, SSL\TLS connections work properly (all https sites work and I see my that certificates for sites issued by me)

- but it does not work together HTTPS and NTLM...

 

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 7 of 9
‎10-08-2018 12:18 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

I see that you are using WCCP setup which is transparent.

 

NTLM authentication alone will not work with transparent setup as clients are not proxy aware .

I would suggest to use authentication server rule set wherein front end authentication will be Time /Ip based and backend authentication can be used as NTLM.

HTTPS scanning rule should be placed above your Authentication server rule set.

I would also recommend to go through our community article regarding authentication considerations for transparent deloyement .

You can use the authentication Server Ruleset for the transparent deployment.

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Choosing-the-right-Authentication-Method-for-y...

 

 

Regards

Alok Sarda

Reply
Former Member
Not applicable
Report Inappropriate Content
Message 8 of 9
‎10-08-2018 02:35 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Thank you!

Authentication Server rules work fine. But without automatic login (as it should be)...

One more question. How can I see on WSG that authenticated users and idle timeout for sessions ?

 

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 9 of 9
‎10-09-2018 09:53 AM

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

Thats great that authentication part is now working.

You can check about authentication statistics by navigating to option Dashboard->Charts & Tables-> Authentication Statistics.

You can also check for username's in your access logs.  You can also make use of reports from CSR for the same in case logs are being pushed to CSR.

 

Regards

Alok Sarda

 

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC