1 2 Previous Next 19 Replies Latest reply on Jan 6, 2011 1:47 PM by ittech

    AD Authentication in Transparent Bridge Mode

    ittech

      Today we went live with our MWG7 and in the course of things switched it from a proxy to a transparent bridge.

      The only problems were that after doing so:

       

      1. Users were prompted to enter in their username and passwords (this was not required when in proxy mode)

      2. After entering in their username and password, users were not being authenticated or placed in their AD groups

       

      Authentication is set up as NTLM

      The appliance was connected to the domain

      If the user's authntication was tested within the appliance, it worked correctly

       

      I'm not sure where to proceed form here and I don't understand the differences between proxy and bridged mode that would cause a users authentication to work correctly in one situation, but not the other.

       

      Thanks for any input.

        • 1. Re: AD Authentication in Transparent Bridge Mode

          We have ours set up in Transparent router mode.  Users are prompted to authenticate to the domain, similar to what you have seen with the transparent bridge set up, but we haven't had any problems with users being placed in the appropriate groups and the like.

           

           

          Message was edited by: daniel.miller on 12/15/10 4:27:01 PM CST
          • 2. Re: AD Authentication in Transparent Bridge Mode

            At this link I attached a word document with the necessary configuration for transparent authentication.

             

            Please read and ask any further questions you may have.

             

            https://community.mcafee.com/thread/29947

             

             

            on 12/15/10 4:29:21 PM CST
            1 of 1 people found this helpful
            • 3. Re: AD Authentication in Transparent Bridge Mode

              In general, you have to setup a different authentication mechanism for transparent forms of proxying than you would for explict proxying.

               

              Explicit proxy authentication is the formal 407 mechanism that all browser understand and honor. You can't just turn on transparent bridging and use the same set of rules that Proxy Auth uses.

               

              When you setup transparent bridging or WCCP, or any "in-line" proxy, the browser does not know who is in between it and the web server. In order to trick the browser into giving up it's credentials, you need to use something like Cookie Authentication. It intercepts the request, redirects it to the proxy, does some 401 authentication, sets 3rd party cookies, and redirects back to the destination site. The normal authentication rules do not apply and you have add additional rules to do the Cookie Auth.

               

              You also have to touch each browser and allow 3rd-party cookies, and you need to add the proxy to the trusted Intranet zones in the browsers in order for this to succeed.

               

              Also, if you plan on doing both explicit proxy and transparent proxy on the same appliance, you need to setup a second listening proxy port, in addition to 9090, that services just one method or the other. Then write your authentication rules around the Proxy.Port depending on which vector the request is coming in on.

              1 of 1 people found this helpful
              • 4. Re: AD Authentication in Transparent Bridge Mode
                ittech

                Could the NTLM agent be an option for a Transparent Bridge?

                • 5. Re: AD Authentication in Transparent Bridge Mode

                  Quick question - what are the reasons for wanting to use the NTLM agent?

                  • 6. Re: AD Authentication in Transparent Bridge Mode

                    Any of the authentication methods should be applicable.

                    • 7. Re: AD Authentication in Transparent Bridge Mode
                      ittech

                      I'm trying to find the best way to authenticate without giving up on Transparent Bridge. We have some laptops that VPN into out network that are setup to use our current Web Filter as a proxy, while anyone inside the network is using it as a transparent bridge. Also, we are in the process of setting up a free wi-fi service to the public and need a way for them to be filtered as well. Perhaps the best thing would be to connect the wi-fi to the proxy?

                      • 8. Re: AD Authentication in Transparent Bridge Mode
                        ittech

                        I'm currently in the process of combining the duel roles of Proxy and Transparent Bridge.

                         

                        Trying out the instructions posted here:

                        https://community.mcafee.com/message/164718#164718

                        and the Proxy.Port option.

                         

                        My explicit proxy port is 3128

                        My tranparent bridge proxy port is 9090

                         

                        Me =

                         

                        1.png

                         

                        I'm not sure if this "Authenticate for transparent Bridge" should always be on or just for port 9090

                        2.png

                         

                        3.png

                         

                        4.png

                         

                         

                        Message was edited by: ittech Added Pictures and comments on 12/16/10 3:25:14 PM EST
                        • 9. Re: AD Authentication in Transparent Bridge Mode
                          ittech

                          Okay so I've got the Transparent Bridge authenticating as stated in Saul Alanis's thread. I've done it without changing the settings in IE; I've seen what happens and all the prompts that come up. The main thing is getting my director to understand why IE settings have to be changed so the user doesn't have to do anything. We purchased the MWG7 to replace the St. Bernard iPrism that we are currently using to filter traffic. On it you simply select that you want to authenticate HTTP traffic and check a box for auto-login. The user doesn't see anything and we don't have to change certain settings in IE for it to work. So, it's kind of a hard sell for me to tell him that in order to be transparent we have to touch IE settings and he retorts "Then it isn't transparent." Any suggestions?

                          1 2 Previous Next