cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Open Ldap authentication with authentication server

I have setup a rule for the authentication server. It works. The only problem that I have is that IE is telling me that user data is sent in insecure manner (basic authentication). The authentication server URL is: http://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$. If i try to change this URL to https i have error in IE (Internet Explorer cannot display the webpage). Is there a way to setup Authentication server with https URL?

login.jpg

9 Replies
Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Open Ldap authentication with authentication server

Hello,

switching to HTTPS should work the way you described. Did you configure any "Set Client Context" Events before the Authentication Server, to tell MWG which certificate to use for signing the connection?

Best,

Andre

Re: Open Ldap authentication with authentication server

Hi Andre,

I am using rule from https://community.mcafee.com/message/164718#164718 , but instead NTLM i am using Open Ldap. I did not configure "Set Client Context" Events. Where can I tell MWG which certificate will be used for the connection?

Thanks,

Slavko

Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: Open Ldap authentication with authentication server

At the very beginning of your auth server ruleset place a rule that is always executed that calls the event "Enable SSL Client context without CA" and provide a certificate to the settings it uses. As an alternative you can move the SSL Scanner rule set (if enabled) on top of the auth server - that should allow MWG to sign the connection as well.

Maybe you can add some screenshots of your policy. That may help to find out whats going on 🙂

Best,

Andre

Re: Open Ldap authentication with authentication server

This rule with "Enable SSL Client context without CA" does not help. If i use HTTPS for auth server only Chrome works fine, IE does not work at all and firefox works if i dont bypass proxy(webgateway) for local addresses.

Screenshots of my rule are attached.

Regards,

Slavko

Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 6 of 10

Re: Open Ldap authentication with authentication server

Hi Slavko,

the hint with "bypass proxy for local addresses" is interesting. Maybe Chrome talks "through MWG to MWG" (thats what Firefox does when you uncheck the bypass option), but IE tries to talk to MWG directly (without using it as a proxy). I think in this case you have to let MWG know that on port 9090 SSL traffic is expected. Can you add another screenshot of the Configuration -> Proxies tab and show the configuration of the proxy ports?

Best,

Andre

Re: Open Ldap authentication with authentication server

Hi Andre,

Screenshot attached.

Thanks,

Slavko

Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

Re: Open Ldap authentication with authentication server

Okay. Can you add port 9090 to the list of "ports treated as SSL" and try again?

Best,

Andre

Re: Open Ldap authentication with authentication server

Hi Andre,

Adding port 9090 to the list of ports treated as SSL did not help. I added port 8080 to HTTP port definition list and then change Authentication server port to 8080 (auth server URL now looks like: https://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:8080). Authentication now works fine. I have to test it with WCCP and then I am done.

Thanks for your help.

Authentication window in IE now looks like:

login2.jpg

Best regards,

Slavko

com
Level 7
Report Inappropriate Content
Message 10 of 10

Re: Open Ldap authentication with authentication server

Hi Slavko,

I have implemented HTTPS for Authentication Server as discussed (Add port 8080 to HTTP port definition list and then change Authentication server port to 8080). However, the SSL scanner Rule - Verify Common Name (Transparent Setup) is blocking for URL.Host = SSL.Sever.Certificate.CN. How do I add an exception to the rules?

Thanks

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community