cancel
Showing results for 
Search instead for 
Did you mean: 
paladin385
Level 7

Open Ldap authentication with authentication server

I have setup a rule for the authentication server. It works. The only problem that I have is that IE is telling me that user data is sent in insecure manner (basic authentication). The authentication server URL is: http://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$. If i try to change this URL to https i have error in IE (Internet Explorer cannot display the webpage). Is there a way to setup Authentication server with https URL?

login.jpg

0 Kudos
9 Replies
asabban
Level 17

Re: Open Ldap authentication with authentication server

Hello,

switching to HTTPS should work the way you described. Did you configure any "Set Client Context" Events before the Authentication Server, to tell MWG which certificate to use for signing the connection?

Best,

Andre

0 Kudos
paladin385
Level 7

Re: Open Ldap authentication with authentication server

Hi Andre,

I am using rule from https://community.mcafee.com/message/164718#164718 , but instead NTLM i am using Open Ldap. I did not configure "Set Client Context" Events. Where can I tell MWG which certificate will be used for the connection?

Thanks,

Slavko

0 Kudos
asabban
Level 17

Re: Open Ldap authentication with authentication server

At the very beginning of your auth server ruleset place a rule that is always executed that calls the event "Enable SSL Client context without CA" and provide a certificate to the settings it uses. As an alternative you can move the SSL Scanner rule set (if enabled) on top of the auth server - that should allow MWG to sign the connection as well.

Maybe you can add some screenshots of your policy. That may help to find out whats going on :-)

Best,

Andre

0 Kudos
paladin385
Level 7

Re: Open Ldap authentication with authentication server

This rule with "Enable SSL Client context without CA" does not help. If i use HTTPS for auth server only Chrome works fine, IE does not work at all and firefox works if i dont bypass proxy(webgateway) for local addresses.

Screenshots of my rule are attached.

Regards,

Slavko

0 Kudos
asabban
Level 17

Re: Open Ldap authentication with authentication server

Hi Slavko,

the hint with "bypass proxy for local addresses" is interesting. Maybe Chrome talks "through MWG to MWG" (thats what Firefox does when you uncheck the bypass option), but IE tries to talk to MWG directly (without using it as a proxy). I think in this case you have to let MWG know that on port 9090 SSL traffic is expected. Can you add another screenshot of the Configuration -> Proxies tab and show the configuration of the proxy ports?

Best,

Andre

0 Kudos
paladin385
Level 7

Re: Open Ldap authentication with authentication server

Hi Andre,

Screenshot attached.

Thanks,

Slavko

0 Kudos
asabban
Level 17

Re: Open Ldap authentication with authentication server

Okay. Can you add port 9090 to the list of "ports treated as SSL" and try again?

Best,

Andre

0 Kudos
paladin385
Level 7

Re: Open Ldap authentication with authentication server

Hi Andre,

Adding port 9090 to the list of ports treated as SSL did not help. I added port 8080 to HTTP port definition list and then change Authentication server port to 8080 (auth server URL now looks like: https://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:8080). Authentication now works fine. I have to test it with WCCP and then I am done.

Thanks for your help.

Authentication window in IE now looks like:

login2.jpg

Best regards,

Slavko

0 Kudos
com
Level 7

Re: Open Ldap authentication with authentication server

Hi Slavko,

I have implemented HTTPS for Authentication Server as discussed (Add port 8080 to HTTP port definition list and then change Authentication server port to 8080). However, the SSL scanner Rule - Verify Common Name (Transparent Setup) is blocking for URL.Host = SSL.Sever.Certificate.CN. How do I add an exception to the rules?

Thanks

0 Kudos