cancel
Showing results for 
Search instead for 
Did you mean: 

Which Authentication to choose in order to speed up proxy?

Hi, is there a best practice for which config/protocol to use if proxy should require authentication? Right now we're using NTLM, but I thought maybe Kerberos would speed up everything. It seems like the proxy authenticates every single user request and because of kerberos tickets I was wondering if the proxy would behave different? So if all requests come from one IP and if the user already passed a valid kerberos ticket, then maybe the next authentication would be required after the kerberos ticket expires?

thanks in advance

regards

Rene

0 Kudos
9 Replies
feickholt
Level 10

Re: Which Authentication to choose in order to speed up proxy?

We also use NTLM and yes NTLM normally query ever request which might decrease performance.

Therefor we wrote a little ruleset to surrogate an authorized user. The first request is authorized and the result (User, Groups) is stored in a local PDs variable with 1 minute lifetime.

The next requests fetches the values from the storage. This works as long as the user uses the internet. If there is no Internet connection for 1 minute the user has to authorize again. (PDs variable does not exists any more)

This is great to reduce NTLM request.... but.... everthing has a disadvantage - this breaks authentication on servers with more than 1 user!!! The first user opens the Proxy and all other will use its user credential to use the

proxy... (example Citrix).

Frank

Re: Which Authentication to choose in order to speed up proxy?

hi frank, I guess you did this in order to increase proxy performance/speed? did the users noticed the improvement?

0 Kudos
feickholt
Level 10

Re: Which Authentication to choose in order to speed up proxy?

yes! sure! It must be faster. NTLM Handshake required 3 client Proxy exchanges for each request... you can verify this using Rule trace (Code 407/407/200).

0 Kudos

Re: Which Authentication to choose in order to speed up proxy?

frank, wouldn't Kerberos Authentication do the same trick and additionally resolve your issue with terminal servers(citrix)?

Regards

0 Kudos
asabban
Level 17

Re: Which Authentication to choose in order to speed up proxy?

Hello,

Kerberos has the advantage that there is no need to talk to the DCs for authentication. But as far as I know only group IDs (SIDs) rather than group names are transmitted in the Kerberos ticket, so MWG needs to do NTLM or LDAP to lookup the group SIDs from the DC. On top of that Kerbros authentication will still cause MWG to send a "407" to the client to authenticate for every TCP session. Franks approach will cause MWG to not even ask for authentication.

Best,

Andre

0 Kudos
lubomir_cerny
Level 12

Re: Which Authentication to choose in order to speed up proxy?

  1. Kerberos returns only groups IDs not group name
  2. LDAP/NTLM is not needed. We use group ID in our rules.

The rule is like: Authentication.UserGroups is in List

List contains SID of the group fetched via Kerberos ticket

2016-06-27 09_51_08-Edit List (String).png

Works OK.

For old clients which does not support Kerberos, the NTLM fallback rule is used as described in Kerberos MWG guide. Such clients use NTLM and works with clasic group names, not SIDs

0 Kudos
lubomir_cerny
Level 12

Re: Which Authentication to choose in order to speed up proxy?

Maybe you can look at NTLM cache settings and Authentication statistics.

In our deployment, I can see aprx. 80% NTLM requests are served by NTLM cache on MWG appliance. This also can speed it up.

Also MWG 7.5 come with 64bit malware engine and McAfee proposed 24GB of RAM for supported HW. See

Re: Which Authentication to choose in order to speed up proxy?

lubomir, thanks, I checked ntlm cache and it's set to 30min,also in authentication statistics I see that we have 80% ntlm cache hits...

0 Kudos
lubomir_cerny
Level 12

Re: Which Authentication to choose in order to speed up proxy?

We use Kerberos for aprx.3000 users with NTLM fallback as described in . Works OK and speed is little better then NTLM, but the main advantage is lower AD DC utilization.

We had some troubles with some apps/browser version doing incorrect Kerberos authentication, so in some rare cases clients still use NTLM.

We started to implement Kerberos on security impuls and proposal from MS partner to prioritize Kerberos over NTML in the future.