cancel
Showing results for 
Search instead for 
Did you mean: 

SOCKS with both AD and IP authentication

I'm currently developing a new rule set to allow us to move away from Dante SOCKS to McAfee SOCKS so we can make better use of the MWG rule engine and start supporting AD authentication as we currently rely on IP authentication.

Going forward I want a hybrid environment with the rules I've ported relying on IP authentication and new rules relying on AD group membership as much as possible.

I've been able to create the initial rule set and tested it without issues however the problem I've now got after porting all the rules is some of the subnets in the IP based rules overlap with the subnets I'm connecting from for the AD based rules. For example;

  • Steve is allowed to connect to example.com based on AD group membership
  • 10.66.1.0/24 is allowed to connect to mcafee.com based on IP range
  • Steve's current IP is 10.66.1.2

I now have the problem of how I handle authentication; if I put my IP authentication rules first Steve will be able to access mcafee.com, but not example.com and if I put the AD authentication first no one can connect to mcafee.com or any other rule that utilises IP authentication will work, but the AD rules work.

I'm using the default NTLM Authentication rules (If Authentication.Authenticate<engine> equals false - Autheitcate<Default>). Is there a way of essentially doing a soft fail so I can initially attempt to authenticate the client based on NTLM and then if there's no AD credentials set fall back to an IP address white list?

2 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: SOCKS with both AD and IP authentication

Hi Dcarson!

I'm interested in the use case here. Who or what is using the SOCKS proxy? Is it actual users or are you using it for some random machines in the network?

I dont believe the SOCKS tunnel would allow for try auth (either you perform authentication or you dont). However, if you're using a browser and the traffic in the SOCKS tunnel is HTTP, then it might work.

I posted a ruleset here which acts as a base SOCKS proxy ruleset.

This ruleset has authentication included (Basic or Kerberos --- there is no NTLM in SOCKS).

If you've got an SR open, or opened one ever, I can look you up based on that and reach out directly (if you'd like to discuss specifics). Just post the SR #, no other contact info needed.

Best Regards,

Jon

Re: SOCKS with both AD and IP authentication

Hi Jon,

Thanks for that.

At present it's basic authentication, but in future we'll probably look to move to Kerberos.

I've just raised a SR - 4-16520979721 if you could give me a shout it would be much appreciated.

All the best


David

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community