2 Replies Latest reply on Nov 23, 2016 10:32 AM by dcarson

    SOCKS with both AD and IP authentication

    dcarson

      I'm currently developing a new rule set to allow us to move away from Dante SOCKS to McAfee SOCKS so we can make better use of the MWG rule engine and start supporting AD authentication as we currently rely on IP authentication.

       

      Going forward I want a hybrid environment with the rules I've ported relying on IP authentication and new rules relying on AD group membership as much as possible.

       

      I've been able to create the initial rule set and tested it without issues however the problem I've now got after porting all the rules is some of the subnets in the IP based rules overlap with the subnets I'm connecting from for the AD based rules. For example;

      • Steve is allowed to connect to example.com based on AD group membership
      • 10.66.1.0/24 is allowed to connect to mcafee.com based on IP range
      • Steve's current IP is 10.66.1.2

       

      I now have the problem of how I handle authentication; if I put my IP authentication rules first Steve will be able to access mcafee.com, but not example.com and if I put the AD authentication first no one can connect to mcafee.com or any other rule that utilises IP authentication will work, but the AD rules work.

       

      I'm using the default NTLM Authentication rules (If Authentication.Authenticate<engine> equals false - Autheitcate<Default>). Is there a way of essentially doing a soft fail so I can initially attempt to authenticate the client based on NTLM and then if there's no AD credentials set fall back to an IP address white list?

        • 1. Re: SOCKS with both AD and IP authentication
          Jon Scholten

          Hi Dcarson!

           

          I'm interested in the use case here. Who or what is using the SOCKS proxy? Is it actual users or are you using it for some random machines in the network?

           

          I dont believe the SOCKS tunnel would allow for try auth (either you perform authentication or you dont). However, if you're using a browser and the traffic in the SOCKS tunnel is HTTP, then it might work.

           

          I posted a ruleset here which acts as a base SOCKS proxy ruleset.

          Using SOCKS on Webgateways

           

          This ruleset has authentication included (Basic or Kerberos --- there is no NTLM in SOCKS).

           

          If you've got an SR open, or opened one ever, I can look you up based on that and reach out directly (if you'd like to discuss specifics). Just post the SR #, no other contact info needed.

           

          Best Regards,

          Jon

          1 of 1 people found this helpful
          • 2. Re: SOCKS with both AD and IP authentication
            dcarson

            Hi Jon,

            Thanks for that.

             

            At present it's basic authentication, but in future we'll probably look to move to Kerberos.

             

            I've just raised a SR - 4-16520979721 if you could give me a shout it would be much appreciated.

             

            All the best


            David