I'm currently developing a new rule set to allow us to move away from Dante SOCKS to McAfee SOCKS so we can make better use of the MWG rule engine and start supporting AD authentication as we currently rely on IP authentication.
Going forward I want a hybrid environment with the rules I've ported relying on IP authentication and new rules relying on AD group membership as much as possible.
I've been able to create the initial rule set and tested it without issues however the problem I've now got after porting all the rules is some of the subnets in the IP based rules overlap with the subnets I'm connecting from for the AD based rules. For example;
Steve is allowed to connect to example.com based on AD group membership
10.66.1.0/24 is allowed to connect to mcafee.com based on IP range
Steve's current IP is 10.66.1.2
I now have the problem of how I handle authentication; if I put my IP authentication rules first Steve will be able to access mcafee.com, but not example.com and if I put the AD authentication first no one can connect to mcafee.com or any other rule that utilises IP authentication will work, but the AD rules work.
I'm using the default NTLM Authentication rules (If Authentication.Authenticate<engine> equals false - Autheitcate<Default>). Is there a way of essentially doing a soft fail so I can initially attempt to authenticate the client based on NTLM and then if there's no AD credentials set fall back to an IP address white list?
I'm interested in the use case here. Who or what is using the SOCKS proxy? Is it actual users or are you using it for some random machines in the network?
I dont believe the SOCKS tunnel would allow for try auth (either you perform authentication or you dont). However, if you're using a browser and the traffic in the SOCKS tunnel is HTTP, then it might work.
I posted a ruleset here which acts as a base SOCKS proxy ruleset.
This ruleset has authentication included (Basic or Kerberos --- there is no NTLM in SOCKS).
If you've got an SR open, or opened one ever, I can look you up based on that and reach out directly (if you'd like to discuss specifics). Just post the SR #, no other contact info needed.