Thank you for the replies.
I have gone through the DOC-4384. and that is how I ended up with this configuration right now. but i have a few more things i would need to clear up,
1. Does mwg support single Sign on ? i.e. a user would be never prompted to enter his username and password
2. what is the use of the NTLM agent? from what i understand it is just taking the information from the AD and giving it to the authentication server of the mwg.
3. are there any advantages and disadvantages when comparing NTLM and NTLM agent?
Thanks in Advance.
What authentication ruleset do you have in place? If you are using the Transparent bridge you should be using the Authentication server. In addition, you referenced a thread where I had shown you how to obtain the email address from AD (https://community.mcafee.com/message/294135#294135) which is separate from this topic of authentication.
"Does mwg support single sign on?" It is not a question of whether or not the MWG supports it (because it does), it is whether the client browser trusts the MWG to support it. This is discussed in the aformentioned article under the Push browser settings via Group Policy or Browser security settings. Think of the MWG as though it is your intranet site, it most likley requires authentication to access it, this is the same type of authentication MWG is using, except your browser probably trusts the intranet site.
Unless you have a reason to use the NTLM-Agent, you should use Native NTLM (join the MWG to the domain).
Thank you for the reply.
I use the following document to configure the authentication
now the users aren't getting promted to enter the credentials but when they try to access a site they would get the following page as an error. but if they enter the same adress again they can access it without any issue. why is this?as i can understand this has something to do with the cookie that is been sent.
any idea of how to stop this?
the authentication server url has been put as http://ip:port instead that <$property bla bla bla> thing because the latter didn't seem to work with my setup.
Thanks in advance. and bdw you have been far more helpfull compared to the TAC
Please review the aforementioned doc again. This issue is coming about because of some change you made:
"the authentication server url has been put as http://ip:port instead that <$property bla bla bla> thing because the latter didn't seem to work with my setup."
I'd suggest reimporting the rules and trying again.
As a rule of thumb start with what works (the defaults), and then deviate from there.
The default URL doesn't seem to work that is why i changed it to the specific ip and port. my url looks like http://172.25.104.90:9090 where the IP is the gateway ip and the port is the proxy listning port.
The default doesnt have the ticks on the 2 cookie options. so everytime you close the browser and open it after the time out im prompted (this happens even using the default URL)
but when i put those 2 ticks in the authentication server window for the cookie options then i would get an rule engine error from mcafee. but the nxt time i go to the same page it will display the page as usual.
the URL is somthing like http://dailymirror.lk/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Land& setCookie=....... where dailymirror.lk is the site im trying to access after leaving it idle for sometime.
Leave the default URL. This is necessary because it uses a variable instead of a static string. Imagine if you change the MWG's IP, or if you have multiple nodes in a cluster which share the same settings. Each appliance will generate its own string.
You cannot have both "require client id" and store auth result in a cookie" checked, otherwise you will get an error.
I would appreciate if you could help me out here. This iswhat I have done up to now,
- Configured the MWG in transparent mode.
- Added the gateway to the domain. Status showsgreen (OK)
- The front end is the authentication server withthe following settings as shown in the pic. Uses the default URL as you told meto.
http://$<propertyInstanceuseMostRecentConfiguration="false"propertyId="com.scur.engine.s ystem.proxy.ip"/>$:$<propertyInstanceuseMostRecentConfiguration="false"propertyI d="com.scur.engine.system.proxy.port"/>$
4. The backend is NTLM as show in the pic
5. Have added http://172.25.104.90,http://mcafeevwg.mit.com to the network.automatic-ntlm-auth.trusted-uris on firefox.
when I try to logging i would be promted to enter the credentials then i would first get this page with the URL URL: http://cnn.com/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Land&setCook ie=MToyNDpOVFkwUk........... where cnn.com is the site I'm trying to access. when I re enter cnn.com then i can access it as usual.
Am I missing anything else?
Take more screenshots of your rules/rulesets/settings specifically related to the authentication server or open a service request.
I'm pretty sure you have misconfigured the rules which is causing the prompt.
If you open a service request, include a feedback file. Do NOT post the feedback file here.