We have a mcafee webgateway in a transparent deployment and we have the need to authenticate the users when they are browsing the internet. i have manged to integrate the gateway with the AD and implement authenticaion using authentication server as the front end and NTLM as the backend. I used the following document for this.
Now the users can browse the web for say about 10 minutes and then they are prompted to re authenticate again. once they type their credentials in, they can again work for another 10 minutes or so.
now what i want to do is prevent the webgateway from prompting like that since obviosly it is going to irritate the users. therefore I'm looking for a way to implement Single Sign On so that once the user is logged on to the PC using their domain account they wouldn't be promted (atleast the prompting isn't visible for the users i don't mind the browser taking care of it at the back end) and they can browse the web withought been interupted. Can anyone help me to do this?
Thanks in Advance
Solved! Go to Solution.
The default ruleset is configured as you needed. The only change that needed to be made was to reference NTLM instead of the userdatabase (aka change out the backend).
The cookie thing doesnt work because it is meant for an entirley different set of rules. As there is a ruleset in the library called "Authentication Server (Time/IP based session)" there is another called "Cookie authentication".
This is where the cookie related settings are used, and require different actions for cookie auth to work.
I will add more explicit instructions to my previously mentioned document, but in the screenshots, it does show the necessary settings.
I'm very glad to hear it is working now, please let me know the SR you had opened so I can take a look at it.
Thank you for the replies.
I have gone through the DOC-4384. and that is how I ended up with this configuration right now. but i have a few more things i would need to clear up,
1. Does mwg support single Sign on ? i.e. a user would be never prompted to enter his username and password
2. what is the use of the NTLM agent? from what i understand it is just taking the information from the AD and giving it to the authentication server of the mwg.
3. are there any advantages and disadvantages when comparing NTLM and NTLM agent?
Thanks in Advance.
What authentication ruleset do you have in place? If you are using the Transparent bridge you should be using the Authentication server. In addition, you referenced a thread where I had shown you how to obtain the email address from AD (https://community.mcafee.com/message/294135#294135) which is separate from this topic of authentication.
"Does mwg support single sign on?" It is not a question of whether or not the MWG supports it (because it does), it is whether the client browser trusts the MWG to support it. This is discussed in the aformentioned article under the Push browser settings via Group Policy or Browser security settings. Think of the MWG as though it is your intranet site, it most likley requires authentication to access it, this is the same type of authentication MWG is using, except your browser probably trusts the intranet site.
Unless you have a reason to use the NTLM-Agent, you should use Native NTLM (join the MWG to the domain).
JonMessage was edited by: jscholte -- see original comment regarding use of the authentication server on 6/27/13 11:17:35 PM CDT
Thank you for the reply.
I use the following document to configure the authentication
now the users aren't getting promted to enter the credentials but when they try to access a site they would get the following page as an error. but if they enter the same adress again they can access it without any issue. why is this?as i can understand this has something to do with the cookie that is been sent.
any idea of how to stop this?
the authentication server url has been put as http://iport instead that <$property bla bla bla> thing because the latter didn't seem to work with my setup.
Thanks in advance. and bdw you have been far more helpfull compared to the TAC
RukmalMessage was edited by: rukmalf on 6/28/13 3:35:01 AM CDT
Please review the aforementioned doc again. This issue is coming about because of some change you made:
"the authentication server url has been put as http://iport instead that <$property bla bla bla> thing because the latter didn't seem to work with my setup."
I'd suggest reimporting the rules and trying again.
As a rule of thumb start with what works (the defaults), and then deviate from there.
The default URL doesn't seem to work that is why i changed it to the specific ip and port. my url looks like http://172.25.104.90:9090 where the IP is the gateway ip and the port is the proxy listning port.
The default doesnt have the ticks on the 2 cookie options. so everytime you close the browser and open it after the time out im prompted (this happens even using the default URL)
but when i put those 2 ticks in the authentication server window for the cookie options then i would get an rule engine error from mcafee. but the nxt time i go to the same page it will display the page as usual.
the URL is somthing like http://dailymirror.lk/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Land&setCookie=....... where dailymirror.lk is the site im trying to access after leaving it idle for sometime.
Leave the default URL. This is necessary because it uses a variable instead of a static string. Imagine if you change the MWG's IP, or if you have multiple nodes in a cluster which share the same settings. Each appliance will generate its own string.
You cannot have both "require client id" and store auth result in a cookie" checked, otherwise you will get an error.
I would appreciate if you could help me out here. This iswhat I have done up to now,
4. The backend is NTLM as show in the pic
5. Have added http://172.25.104.90,http://mcafeevwg.mit.com to the network.automatic-ntlm-auth.trusted-uris on firefox.
when I try to logging i would be promted to enter the credentials then i would first get this page with the URL URL: http://cnn.com/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Land&setCookie=MToyNDpOVFkwUk........... where cnn.com is the site I'm trying to access. when I re enter cnn.com then i can access it as usual.
Am I missing anything else?
Rukmal FernandoMessage was edited by: rukmalf on 6/30/13 12:01:57 PM CDT
Take more screenshots of your rules/rulesets/settings specifically related to the authentication server or open a service request.
I'm pretty sure you have misconfigured the rules which is causing the prompt.
If you open a service request, include a feedback file. Do NOT post the feedback file here.