Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anyone Using iPads or iPhones with MWG Explicit Proxy with NTLM Auth?

We are looking at the possibility of supporting iPad clients on our MWGs in explicit proxy mode. If possible we would like to use our existing NTLM authentication to a back end AD.  Based on the experience we had with Macs (had to join them to AD and use MCP to make things work properly) I'm going to assume this is not going to be an easy task.

Is anyone doing this in the field? And if so what were your results?



2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: Anyone Using iPads or iPhones with MWG Explicit Proxy with NTLM Auth?

Hi Matt,

In the past, I've worked with customers and they went the route of x509 or certificate authentication (using time based session with auth server). This meant that they distributed certificates out to the devices using an MDM, and then configured the iPads or iPhones to use MWG on a special proxy port (typically with wpad or proxy.pac).

The special proxy port allowed us to distinguish between normal proxy users (doing proxy auth) and byod or iDevices using x509 auth.

Separate from that, I have worked with some customers using wireless network controllers which allowed the MWG to query to see what users was logged into what IP address.

MWG then cached the information to reduce load on the wireless controller.

Apple devices in general do not play well with NTLM authentication so I tend to stay away from it.

If this is something you're interested in, let me know and we can have a chat!

Best Regards,


Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: Anyone Using iPads or iPhones with MWG Explicit Proxy with NTLM Auth?

Hi Jon,

I'm interested in this as well.

We have a separate CA issuing client certificates that are pushed with our MDM. I'd like to retrieve the CN / SAN information to be able to retrieve the filtering profile to apply (based the AD Group Membership).

I have tried what you suggested here:

I fail to understand why we need to provide the private key of the CA used to issue the client certificates in the Authentication.Authenticate method. Shouldn't the MWG just check if the client certificate is issued by the CA?

Can you help me on this topic?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community