9 Replies Latest reply on May 20, 2010 12:32 AM by michael_schneider

    Macintosh support

    DBO

      We have about 25 Mac to support with 1500 PC. All the PC users have been move to SecureWeb proxy doing NTLM user authentication.  Now, I need to integrate those Mac users...

       

      I know I could put all of them in a subnet and just bypass auth but all Internet acces have to be log and associate with a user account.  Right now, the Mac user have to auth everytime they start a new browser session.

       

      Is it possible to add a policy for those Mac user (either an NTLM group or an IP segment) where they could auth once every 8 hours?  Any KB document on how to add this to the current config?

        • 1. Re: Macintosh support
          michael_schneider

          As Macintosh doesn't support NTLM transparently these days, you still can use NTLM on the proxy in general, but need to be aware that these Mac Users will get a popup asking them for credentials, which in this case are entered in a

          domain\user fashion. It is notable that the credentials will be passed to the proxy then as part of the request base64 encoded and thus could be read and decoded to clear text.

          Alternatively you can use the authentication server, which can get credentials using a SSL encrypted page. This will work transparently for NTLM, but will also create a pop-up for those Mac users.

          • 2. Re: Macintosh support
            jspanitz

            So if you are using the web gateway in direct proxy mode, you could have all the Macs avoid being prompted to enter credentials if you user a mapping rule.  The downside is that ALL Macs get the same rule - it is not based on user but rather by browser.  This looks for all Safari web browsers and appies a certain Policy based on that.  So i guess if you had Windows users using Safari, this would map them as well.

             

            To do this you would need to go to User Management | Policy Manangement | Web Mapping and add a mapping for REQMOD.

             

            Map From = User Name

            Map Via = Map Directly

            Using These Rules = User Direct (this could have a number behind it depending on if you already have a user direct mapping)

             

            Then under the User Direct rule:

            Select - Enable Shell Expressions

            Select - Clear Users Cache

            Add a Rule - Select the template you want to apply to the Macs and use "*Safari*" (remove the quotes) as the user string.

            • 3. Re: Macintosh support
              michael_schneider

              You have a couple of options.

               

              • Map on specific IP addresses used to group the Macs, and create an exclude on auth using these IPs.
                Doing that you'll not going to see the usernames in logs
              • Use the same authentication as for Windows clients - this will cause a popup on the Macs though, but is a generally consitent setup.
              • Use a Mac specific information out of the HTTP Headers, such as the user agent:
                Safari: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4
                Firefox: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
                So you could use 'Macintosh' as mapping criteria for the user-agent header. By choosing that way you might also not get any usernames in the logs.

               

              best,

              Michael

              • 4. Re: Macintosh support
                DBO

                Would it be possible to use local accounts on ther proxy to open access for 8 hours for example.  Sure, if somebody logoff and is replaced on the station by somebody else we would not know but this is allready the case with a direct account on the external firewall.

                • 5. Re: Macintosh support
                  michael_schneider

                  Thinking aout MWG 7 - yes you can. An option would be to do cookie authentication paired with the local user db in case the client is a MAC. The Cookie can be set to expire after 8 hours for example.

                   

                  best,

                  Michael

                  • 6. Re: Macintosh support
                    jspanitz

                    Can you do NTLM and cookie auth?  So the sign in once when the session starts using NTLM and then the cookie is good for 8 hours.  If someone else would sign in on the same machine the process would repeat itself.  Is that correct?

                    • 7. Re: Macintosh support
                      DBO

                      The cookie auth paired with local user database, is it only for rel 7 or is it allready available in Rel 6?  If available for rel 6, how can you do that?  Doc?

                       

                      Thank you

                      • 8. Re: Macintosh support
                        michael_schneider

                        You can do NTLM with cookie auth in 7 only. The Cookie will be stored in the Users proile, which will change in case sombody is logging on with a different account. What you could do as well for shared PCs is Cookie auth but let the Cookie expire on browser close, that's not part of the standard set of 7 but we have some predefined rules in place, that can help you doing this.

                        thanks,

                        Michael

                        • 9. Re: Macintosh support
                          michael_schneider

                          Hi DBO,

                           

                          cookie with local DB is only available in MWG 7.

                           

                          best,

                          Michael