5 Replies Latest reply on Jul 6, 2012 10:49 PM by HermanSchenk

    Web Gateway LDAP authentication in clear text?

    HermanSchenk

      Hi all, today in my lab I played with EWS and MWG LDAP auth within OpenLDAP, I was surprised EWS appears to encrypt the mechanism and and MWG no... so, there is any way to MGW works like EWS?

       

       

       

       

                                                 

      ews.PNGNueva imagen de mapa de bits.bmp

       

      El mensaje fue editado por: HermanSchenk on 05/07/12 18:38:46 GMT-06:00
        • 1. Re: Web Gateway LDAP authentication in clear text?
          Jon Scholten

          Hi Herman,

           

          Short answer, yes. Use the Authentication server or Direct proxy auth with Kerberos.

           

          Long answer: The two devices use two different types of authentication (EWS only does one, MWG does many many many)! This is why you are seeing differences.

           

          For EWS it only does "Web based" authentication. Which means you will be redirected to an "Authentication server" of somekind (on the EWS), it will then authenticate you, and give you a cookie.

           

          For MWG, it offers a number of different types of authentication, the main ones being Direct Proxy Authentication, Authentication Server, Cookie Authentication Server.

           

          If you are using Direct Proxy Authentication with LDAP, then yes the credentials will  be sent with every request, base64 encoded. If you use the authentication server, then you can authenticate with the authentication server once every X seconds (default is 600), and this communication can be whatever you like (HTTP/HTTPS).

           

          But they are two fundamentally different types of authentication, and have different underlying processes for user authorization .

           

          Hope this helps,

          Jon

          1 of 1 people found this helpful
          • 2. Re: Web Gateway LDAP authentication in clear text?
            HermanSchenk

            Excellent answer! Thanks Jon

            Hasta la proxima

            • 3. Re: Web Gateway LDAP authentication in clear text?
              HermanSchenk

              I understand the concept but  can you help me to build the rule ? I try to do it but always appears the text saying that the information will be sent in clear text... so frustrating..

              Thanks in advance

               

              El mensaje fue editado por: HermanSchenk on 06/07/12 13:58:16 GMT-06:00
              • 4. Re: Web Gateway LDAP authentication in clear text?
                Jon Scholten

                Here is a ruleset you can toy with.

                 

                You will need to add a new proxy port (10000) for that port, you need to add * for ports treated as SSL.

                proxyports.png

                 

                The ruleset is barebones, and you will need SSL scanner on in order for HTTPS to authenticate properly.

                 

                Let me know how this works and if it makes any sense.

                 

                Normally you would have to exempt the MWGs IP in the proxy settings, but I tried to make sure that wasnt needed.

                 

                Best,

                Jon

                • 5. Re: Web Gateway LDAP authentication in clear text?
                  HermanSchenk

                  It s works!! you are a master! thanks a lot , thanks , thanks!

                   

                   

                   

                  usted se merece un aumento de sueldo