cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pakorn
Level 8
Report Inappropriate Content
Message 1 of 5

How to create policy for support MCP authenticate and NTLM authenticate

Jump to solution

Hi 

 

Some client using MCP 

 

Some client can't not install MCP and config explicit proxy in IE 

 

How to create policy for support both MCP authenticate and NTLM authenticate (Proxy Join domain) ?

 

BR

 

 

 

2 Solutions

Accepted Solutions
pakorn
Level 8
Report Inappropriate Content
Message 3 of 5

Re: How to create policy for support MCP authenticate and NTLM authenticate

Jump to solution

Hi Asabban 

 

For now is only on-premise but next month is  hybrid (on-premise and cloud proxies) 

MCP will config policy with 2 list of proxy ( On-Promise is first priority On-Cloud is second ) 

 

For my policy is correct ? 

 

I create 2 Authenticate Policy MCP is on Top of NTLM and action is continue 

 

Screenshot_1.jpg

 

Screenshot_2.jpg

 

BR  

View solution in original post

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: How to create policy for support MCP authenticate and NTLM authenticate

Jump to solution

Hello,

this should be tested to make sure it works, but so far it does not look too bad.

You need to keep in mind that there is no need to add an "MCP Authentication" rule set in the cloud. Every request which is routed to the cloud automatically runs through MCP authentication, so I recommend to not sync the "MCP Authentication" rule set into the cloud, but have it on-premise only. 

When you come with an MCP client in the cloud, "Authentication.IsAuthenticated" is true, so the NTLM rule set is not executed. This should work for the cloud without a problem.

For on-premise you will run into the MCP authentication rule set. If there are MCP headers, Authentication.IsAuthenticated becomes true, so NTLM is not executed. If there are no MCP headers, you will run into the NTLM rule set.

So far that looks OK. Is there any way to give this a try, for example by restricting the NTLM rule set to some test PCs?

Best,
Andre

View solution in original post

4 Replies
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: How to create policy for support MCP authenticate and NTLM authenticate

Jump to solution

Hello,

is the environment on-premise only or hybrid (on-premise and cloud proxies)?

Is my understanding correct that you basically are looking for a rule that authenticates based on MCP (if MWP headers are present) but asks the browser for (NTLM) authentication if the request does not come in via MCP?

Best
Andre

pakorn
Level 8
Report Inappropriate Content
Message 3 of 5

Re: How to create policy for support MCP authenticate and NTLM authenticate

Jump to solution

Hi Asabban 

 

For now is only on-premise but next month is  hybrid (on-premise and cloud proxies) 

MCP will config policy with 2 list of proxy ( On-Promise is first priority On-Cloud is second ) 

 

For my policy is correct ? 

 

I create 2 Authenticate Policy MCP is on Top of NTLM and action is continue 

 

Screenshot_1.jpg

 

Screenshot_2.jpg

 

BR  

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: How to create policy for support MCP authenticate and NTLM authenticate

Jump to solution

Hello,

this should be tested to make sure it works, but so far it does not look too bad.

You need to keep in mind that there is no need to add an "MCP Authentication" rule set in the cloud. Every request which is routed to the cloud automatically runs through MCP authentication, so I recommend to not sync the "MCP Authentication" rule set into the cloud, but have it on-premise only. 

When you come with an MCP client in the cloud, "Authentication.IsAuthenticated" is true, so the NTLM rule set is not executed. This should work for the cloud without a problem.

For on-premise you will run into the MCP authentication rule set. If there are MCP headers, Authentication.IsAuthenticated becomes true, so NTLM is not executed. If there are no MCP headers, you will run into the NTLM rule set.

So far that looks OK. Is there any way to give this a try, for example by restricting the NTLM rule set to some test PCs?

Best,
Andre

pakorn
Level 8
Report Inappropriate Content
Message 5 of 5

Re: How to create policy for support MCP authenticate and NTLM authenticate

Jump to solution

I think it working 

 

For MCP User


Screenshot_4.jpg

 

For explicit Proxy User NTLM Authen


Screenshot_3.jpg

 

BR

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community