In a nutshell, internet explorer/chrome users we want to use the ntlm authentication, everything else we want to just automatically get the unauthenticated ruleset.
For background auth with firefox, you can put your gateway IP with port in network.automatic-ntlm-auth.trusted-uris setting. You can get to that by typing in about:config in the url window.
our examples are as follows: https://webgateway01:10000,https://webgateway02:10000, etc. The computer has to be on the domain though I believe in order for it to work???. You are correc though, some apps just fail with background auth and our rinky dinky workaround is to open up a browser and then it works.
1 of 1 people found this helpful
In firefiox, search for and install the Add-On NTLMAuth.
No more pop-ups. Works great.
As for the other applications, if there is no place to put in proxy settings (which most programs do have), you will have to make a rule set to allow those programs through without authentication. This is the only way to do it. You do this by User-Agent. Check your logs when you use those programs and you will see what User-Agent it is coming up as. Then you make a rule in your authentication rule set that says, if it is this user-agent, then skip authentication.
An example of a program that doesn't work is dropbox. It has proxy settings but when set it to auto it doesn't work. If I put it in manually with the ip and user/pass it still doesn't work.
IE/Firefox/Chrome work fine with the proxy.
These little apps do not. When I googled what user-agent dropbox uses I came up with 'it doesn't use one'.
If I put 'dropbox.com' in our global whitelist it doesn't work either.
I could be wrong, but as i recall when i tested the drop box client a few months ago, it used the proxy settings in IE, but it could not use SSL decryption and NTLM authentication. I think it did use BasicAuth, however.
Like i said, i could be wrong.
1 of 1 people found this helpful
What do the logs show? This should contain all the information needed in order to bypass for it.
The logs can be found under Troubleshooting > Log files.
This should contain a user-agent if one is present (Header.Request.Get("User-Agent")), and also show you the domains it is accessing, in case it is not just "dropbox.com" (which I know that it is not, I dont remeber the exact format of their URLs).
Not seeing anything in the access log. Would it be in another one?
clientXX.dropbox.com is the syntax they use. Under my global whitelist url.host is in list with dropbox.com being in the list didn't work.
header.request.get("User-Agent") equals "" is what I was using to capture the blank user agent. Also didn't work.
Eelsasser, what do you mean it can't use SSL decryption and NTLM authentication? How do I account for that on the McAfee?
Ok, you made me break out my test machine again
When you try to run drop box, it has proxy settings.
It will honor IE settings, but won't work because of NTLM authentication. It cannot discover the plain-text password from the machine to use in BasicAuth.
You have to setup the client explicitly:
This will allow autehntication to work:
After that, if you have SSL encryption turned on, it will fail:
It fails because the drop box client expects a particular CA and it will not accept the gateway's CA.
So you have to turn off SSL scanning for *.dropbox.com.
(And you will not be able to see the user-agent as attempted above.)
Once you turn off ssl scanning, then and only then can you connect:
So, you can use drop box, but...
you must use BasicAuth and enter your password into the client explicitly.
you cannot do SSL scanning (especially antimalware scanning) on the traffic.
I have applied that to Dropbox and a couple other apps that I was having problems with and that has fixed them as well.