cancel
Showing results for 
Search instead for 
Did you mean: 

Problems with authentication through non-transparent proxy

Situation:

We are using non-transparent proxy using ldap authentication connector.   When a user attempts to access a http website via the proxy it works fine.   However, when the user attempts to access a HTTPS site, the firewall denies the request.  We are NOT intercepting the traffic; we have an exempt all rule for SSL traffic.    Switching to the Passport authenticator (with LDAP settings behind it), users are prompted for their password and BOTH http and https works!   However it appears to be IP based rather than session based (because users who are NAT'd internally do not get prompted once someone else has logged in behind the NAT).      Is there any way to either:   (A) make HTTPS work with authentication on our non-transparent proxy or, (B) make the passport authenticator session based so that users behind a NAT get prompted to enter their credentials ?????????

On a side note, it appears as though the firewall is stepping on iteself when using LDAP authentication with HTTPS non-transparent proxy as it stright-up denies the traffic and the protocol is not even identified.  

7 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 8

Re: Problems with authentication through non-transparent proxy

What exact version and patch level are you using?


Do you get an error about in-band authentication in the audit?

Re: Problems with authentication through non-transparent proxy

Im running 8.3.1 P05    The firewall is setup as a non-transparent proxy for HTTP and HTTPS applications.

When i use HTTPS as an ip filter (by manually creating a HTTPS application using TCP/443) i get the following:  In-band authentication cannot be done on transparent SSL. Session terminated.

When i use SSL (the default application) i get straight-up denied:

2014-03-05 07:47:46 -0500 f_http_proxy a_aclquery t_attack p_major

pid: 11666 logid: 0 cmd: 'httpp' hostname: blah.blah.com

category: policy_violation event: ACL deny attackip: XX.XX.XX.XX

attackzone: internal application: <Unknown TCP> srcip: XX.XX.XX.XX

srcport: 50346 srczone: internal protocol: 6 dst_geo: US

dstip: 98.139.180.149 dstport: 443 dstzone: external rule_name: Deny All

cache_hit: 1 reason: Traffic denied by policy.

Taking out authentication from the rule, i am able to get out just fine.

Using passport authentication, this works!  However, the NAT problem is introduced as indicated above.

Using Password authentication, this works!   However this is not a viable solution and the NAT problem is also introduced as indicated above.

Using LDAP authentication, i get immediatly denied.

Message was edited by: mathew.d.hailey on 3/5/14 7:18:18 AM CST

Message was edited by: mathew.d.hailey on 3/5/14 7:39:46 AM CST

Message was edited by: mathew.d.hailey on 3/5/14 7:55:51 AM CST
sliedl
Level 14
Report Inappropriate Content
Message 4 of 8

Re: Problems with authentication through non-transparent proxy

Is the HTTP proxy set to 'non-transparent' or 'both' in the generic app-defense settings for this rule?

You must add SSL/80 to the ports on this rule or change the settings in your browser to send SSL on port 443 (rather than 80) to get SSL to work non-transparently through the firewall rules (Firewall Enterprise: How to pass HTTPS through the non-transparent proxy (KB70020))

The 'NAT problem' is unsolvable from the firewall's perspective.

Re: Problems with authentication through non-transparent proxy

Confirmed, the HTTP app defense "generic"  is set to "non-transparent" for all the agents (FTP, HTTP, Oracle and Telnet). 

I have added the following over-ride to the "internet services"  rule: TCP/80 SSL/80,443  (we currently use this configuration on all our firewalls, so i was already familiar with this).  

Any other thoughts? 

Its unfortunate about the NAT problem, i dont understand why it cant be session based like the LDAP authenticator is.

sliedl
Level 14
Report Inappropriate Content
Message 6 of 8

Re: Problems with authentication through non-transparent proxy

A few of us here set this up and it worked fine for us.  The 'Deny All' audit tells us we are hitting some rule but we can't be sure we're hitting the correct rule.  Do you have any other HTTPS rules which interract with this rule (do you have any other HTTPS rule using authentication)?  Do you see any auth failures in the audit?


This reminded me of this recent Community post here:  https://community.mcafee.com/message/320225#320225

You get a Deny All/Unknown TCP audit when the firewall cannot identify the traffic.  Since taking auth out of the rule works we know the firewall is seeing this as SSL/TLS traffic.  If a session is interrupted before the firewall can identify the application (such as a request for auth which is denied by the client) then we will see Deny All/Unknown TCP.  If the firewall requests auth and we fail the authentication we will see an auth deny audit.  If the firewall asks for auth but is RST or FINed we will hit Deny All.  That may be what is happening here.

Re: Problems with authentication through non-transparent proxy

Thanks for the breakdown of the firewall responses, this actually helps alot!      Actually the Firewall is seeing a FIN and hence the deny all.     I will do some more dumps to see where the FIN is originating. 

Re: Problems with authentication through non-transparent proxy

OK.....   using your notes about the firewall responses, i was able to figure out what was going wrong.  

That said, there is really no way for the Passport authenticator to use cookies or some other session based information rather than the source IP?   I have 50+ networks coming through these firewalls and many of them NAT.   The problem becomes that when one person signs in behind a NAT, all other sessions are shown as this person, and nobody gets prompted.  (firewall appears to just associate the source IP with the first users login session, which is NOT correct). 

LDAP is the only authenticator that appears to work behind a NAT.  is this correct? 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community