We have about 25 Mac to support with 1500 PC. All the PC users have been move to SecureWeb proxy doing NTLM user authentication. Now, I need to integrate those Mac users...
I know I could put all of them in a subnet and just bypass auth but all Internet acces have to be log and associate with a user account. Right now, the Mac user have to auth everytime they start a new browser session.
Is it possible to add a policy for those Mac user (either an NTLM group or an IP segment) where they could auth once every 8 hours? Any KB document on how to add this to the current config?
As Macintosh doesn't support NTLM transparently these days, you still can use NTLM on the proxy in general, but need to be aware that these Mac Users will get a popup asking them for credentials, which in this case are entered in a
domain\user fashion. It is notable that the credentials will be passed to the proxy then as part of the request base64 encoded and thus could be read and decoded to clear text.
Alternatively you can use the authentication server, which can get credentials using a SSL encrypted page. This will work transparently for NTLM, but will also create a pop-up for those Mac users.
So if you are using the web gateway in direct proxy mode, you could have all the Macs avoid being prompted to enter credentials if you user a mapping rule. The downside is that ALL Macs get the same rule - it is not based on user but rather by browser. This looks for all Safari web browsers and appies a certain Policy based on that. So i guess if you had Windows users using Safari, this would map them as well.
To do this you would need to go to User Management | Policy Manangement | Web Mapping and add a mapping for REQMOD.
Map From = User Name
Map Via = Map Directly
Using These Rules = User Direct (this could have a number behind it depending on if you already have a user direct mapping)
Then under the User Direct rule:
Select - Enable Shell Expressions
Select - Clear Users Cache
Add a Rule - Select the template you want to apply to the Macs and use "*Safari*" (remove the quotes) as the user string.
You have a couple of options.
Would it be possible to use local accounts on ther proxy to open access for 8 hours for example. Sure, if somebody logoff and is replaced on the station by somebody else we would not know but this is allready the case with a direct account on the external firewall.
Thinking aout MWG 7 - yes you can. An option would be to do cookie authentication paired with the local user db in case the client is a MAC. The Cookie can be set to expire after 8 hours for example.
Can you do NTLM and cookie auth? So the sign in once when the session starts using NTLM and then the cookie is good for 8 hours. If someone else would sign in on the same machine the process would repeat itself. Is that correct?
You can do NTLM with cookie auth in 7 only. The Cookie will be stored in the Users proile, which will change in case sombody is logging on with a different account. What you could do as well for shared PCs is Cookie auth but let the Cookie expire on browser close, that's not part of the standard set of 7 but we have some predefined rules in place, that can help you doing this.
The cookie auth paired with local user database, is it only for rel 7 or is it allready available in Rel 6? If available for rel 6, how can you do that? Doc?