cancel
Showing results for 
Search instead for 
Did you mean: 
AlexM
Level 8
Report Inappropriate Content
Message 1 of 9

NTLM authentication and HTTPS sites

Jump to solution

Hi!

 

Have 7.8.2.2.0 (26805) WSG.

I configured policy for authentication and authorization my users from AD via NTLM method.

All work fine with HTTP, by dont work with HTTPS (Also I import my root CA to WSG).

I use rules from library.

Also works If i use separately HTTPS Scanning (disable rule for authentication).

 

rules_wsg.jpg

1 Solution

Accepted Solutions
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

I see that you are using WCCP setup which is transparent.

 

NTLM authentication alone will not work with transparent setup as clients are not proxy aware .

I would suggest to use authentication server rule set wherein front end authentication will be Time /Ip based and backend authentication can be used as NTLM.

HTTPS scanning rule should be placed above your Authentication server rule set.

I would also recommend to go through our community article regarding authentication considerations for transparent deloyement .

You can use the authentication Server Ruleset for the transparent deployment.

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Choosing-the-right-Authentication-Method-for-y...

 

 

Regards

Alok Sarda

8 Replies
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

Hope you are doing well.

what exactly do you mean by not working with HTTPS? Is the user getting authentication pop up while browsing ?

Request you to move your HTTPS Scanning rule set above your authentication rule set and then check .

 

Regards

Alok Sarda

AlexM
Level 8
Report Inappropriate Content
Message 3 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,
I tested sequence for Auth and HTTPS Scanning rule.
Always I have ssl error in browser and don't have any popup window in IE and Chrome...

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

So putting HTTPS Scanning rule above Authentication rule set still fails.

Is this explicit proxy mode, correct?

Can you share the SSL error screenshot user is receiving?

 

Regards

Alok Sarda

 

 

Highlighted

Re: NTLM authentication and HTTPS sites

Jump to solution

TLS/SSL Scanning needs to be above Authentication as the usernames are in the encrypted part of the Request Header. 

I would suggest making sure your Local Intranet Zones on your browsers have been updated to allow connections to the proxies  and that your certificates have been properly deployed to the endpoints to trust the proxy. We've had some problems similar to this while deploying via transparent proxy.

AlexM
Level 8
Report Inappropriate Content
Message 6 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi.

Thank you aloksard and Ddulay94 for quick answers!

 

I moved HTTPS Scanning above Authentication rule.

rules.jpg

I have error in browser:

open_https_site.jpg

My proxy mode is:

proxy_mode.jpg

I load a CA from my certification server and I configure internet security options for low level security.

I want to say again:

- on http NTLM Authentication work properly (windows automatically fills in credentials)

- on https but without NTLM Authentication, SSL\TLS connections work properly (all https sites work and I see my that certificates for sites issued by me)

- but it does not work together HTTPS and NTLM...

 

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

I see that you are using WCCP setup which is transparent.

 

NTLM authentication alone will not work with transparent setup as clients are not proxy aware .

I would suggest to use authentication server rule set wherein front end authentication will be Time /Ip based and backend authentication can be used as NTLM.

HTTPS scanning rule should be placed above your Authentication server rule set.

I would also recommend to go through our community article regarding authentication considerations for transparent deloyement .

You can use the authentication Server Ruleset for the transparent deployment.

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Choosing-the-right-Authentication-Method-for-y...

 

 

Regards

Alok Sarda

AlexM
Level 8
Report Inappropriate Content
Message 8 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Thank you!

Authentication Server rules work fine. But without automatic login (as it should be)...

One more question. How can I see on WSG that authenticated users and idle timeout for sessions ?

 

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: NTLM authentication and HTTPS sites

Jump to solution

Hi,

Thats great that authentication part is now working.

You can check about authentication statistics by navigating to option Dashboard->Charts & Tables-> Authentication Statistics.

You can also check for username's in your access logs.  You can also make use of reports from CSR for the same in case logs are being pushed to CSR.

 

Regards

Alok Sarda

 

 

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center