Getting Started Guide
Websense Web Security Gateway Anywhere v7.5


When the NTLM option is enabled, the proxy challenges users who request content for proof of their credentials. The proxy then sends the proof of the user's credentials directly to the Windows domain controller to be validated. If the credentials are valid, the proxy serves the requested content and stores the credentials in the NTLM cache for future use. If the credentials are not valid, the proxy sends an authentication failed message to the user.
Content Gateway supports both transparent (Single Sign-On) and explicit authentication. Transparent authentication is supported with Microsoft Internet Explorer 7 and 8, and Mozilla Firefox 2 and 3. Single Sign-On allows users to sign on only once, so that they can seamlessly access all authorized network resources. Therefore, if a user has already logged on to the Windows network successfully, the credentials specified during Windows logon are used for authentication and the user is not prompted again for a username and password. Explicit (basic) authentication is supported for other browsers. With explicit authentication, users are prompted for a username and password before they can access the protected content.
Content Gateway supports the use of backup domain controllers for failover. If the primary domain controller does not respond to proxy requests, Content Gateway contacts the next domain controller in the list (the backup domain controller). For the next request, the proxy tries to contact the primary domain controller again and then contacts the backup domain controller if the connection fails. Content Gateway does this 5 times before considering the server unavailable. After marking the primary domain controller unavailable, the proxy waits 5 minutes before trying to contact it again.
Content Gateway supports access to Windows NT domain controllers and Windows 2000, 2003, and 2008 Active Directory.
1.
WINS resolution is not supported. Domain controllers must have host names that can be resolved by a DNS server.
2.
Extended security is not supported and cannot be enabled on the domain controller.
3.
NTLM2 session security is not supported and cannot be enabled on clients. In the Security Settings area of the Windows operating system, inspect the Network Security: Minimum session security settings.
4.
NTLMv2 is not supported with Active Directory 2008. The required Network Security: LAN Manager Authentication setting is described in step 5 of Configuring NTLM proxy authentication, below.
6.
NTLM credential caching is performed when authentication is successful in explicit mode.Transparent proxy authentication caching is handled separately and is configured on the Configuration > Security > Access Control > Transparent Proxy Authentication tab.
1.
Navigate to Configure > My Proxy > Basic > General.
2.
In the Features table, click NTLM On in the Authentication section.
3.
Click Apply.
4.
Navigate to Configure > Security > Access Control > NTLM.
5.
In the Domain Controller Hostnames field, enter the host name of the primary domain controller, followed, optionally, by a comma separated list of backup domain controllers. The format of the host name must be:
Note 
If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445. If you do not use port 445, you must ensure that the Windows Network File Sharing service is running on the Active Directory server. See your Windows Server 2008 documentation for details.
Note 
If you are using Active Directory 2008, in the Windows Network Security configuration, LAN Manager Authentication level must be set to Send NTLM response only. See your Windows Server 2008 documentation for details.
6.
Enable Load Balancing if you want the proxy to balance the load when sending authentication requests to multiple domain controllers.
Note 
When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
7.
Fail Open is enabled by default. Fail Open allows requests to proceed when authentication fails due to:
With Fail Open, when Web filtering is used with the proxy and an XID agent is configured, if NTLM authentication fails the requester can still be identified by the XID agent and appropriate policy applied.
Disable Fail Open if you want to stop requests from proceeding to the Internet when the above listed authentication failure conditions occur.
8.
Credential Caching is enabled by default. To disable credential caching, select Disable.
9.
Caching TTL sets the time-to-live from entries in the credential cache. The default TTL is 900 seconds (15 minutes). To change the TTL, enter a new value in the entry field. The range of supported values is 300 to 86400 seconds.
10.
If some users use terminal servers to access the Internet through the proxy (e.g., Citrix servers), you must create a list of those servers in the Multi-user Hostnames field. Credentials for such users are not cached. Enter a comma separated list of host names. Names can include simple regular expressions to match multiple host names, such as "tserver*" to match all host names that start with "tserver".
11.
Click Apply.
12.
Click Restart on Configure > My Proxy > Basic > General.
*
Configure Content Gateway to allow certain clients to access specific sites on the Internet without being authenticated by the NTLM server.