Legacy NTLM authentication

Content Gateway supports the NTLM (NT LAN Manager) authentication protocol as a method of ensuring that users in a Windows network are authenticated before they access the Internet.


	Important This implementation of NTLM support (Legacy NTLM) relies solely on the NTLMSSP protocol. Although it performs reliably as documented in this section, it is highly recommended that the Integrated Windows Authentication mode be used instead. It provides more robust and secure support for NTLM.


	Important If rule-based authentication will be used, configure Legacy NTLM authentication through the Rule-Based Authentication option. However, read this section to become familiar with Legacy NTLM features and restrictions.

When the Legacy NTLM option is enabled, the proxy challenges users who request content for proof of their credentials. The proxy then sends the proof of the user's credentials directly to the Windows domain controller to be validated. If the credentials are valid, the proxy serves the requested content and stores the credentials in the NTLM cache for future use. If the credentials are not valid, the proxy sends an authentication failed message.

Restrictions:

WINS resolution is not supported. Domain controllers must have host names that can be resolved by a DNS server.

Extended security is not supported and cannot be enabled on the domain controller.

NTLM2 session security is not supported and cannot be enabled on clients. In the Security Settings area of the Windows operating system, inspect the Network Security: Minimum session security settings.

NTLMv2 is not supported with Active Directory 2008. The required Network Security: LAN Manager Authentication setting is described in step 5 of Configuring NTLM proxy authentication, below.

Not all browsers support transparent NTLM authentication. See Browser limitations.

If you are using Legacy NTLM with rule-based authentication, see Rule-Based Authentication, for configuration steps.

Configuring Legacy NTLM authentication

Go to Configure > My Proxy > Basic > General.

In the Authentication section, click Legacy NTLM On, and click Apply.

Configure the Global authentication options.

Go to Configure > Security > Access Control > Legacy NTLM.

In the Domain Controller Hostnames field, enter the hostname of the primary domain controller, followed, optionally, by a comma separated list of backup domain controllers. The format of the hostname must be:

host_name[:port][%netbios_name]

IP_address[:port][%netbios_name]


	Note If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445. If you do not use port 445, you must ensure that the Windows Network File Sharing service is running on the Active Directory server. See your Windows Server 2008 documentation for details.


	Note If you are using Active Directory 2008, in the Windows Network Security configuration, LAN Manager Authentication level must be set to Send NTLM response only. See your Windows Server 2008 documentation for details.

Enable Load Balancing if you want the proxy to balance the load when sending authentication requests to multiple domain controllers.


	Note When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.

Click Apply and restart Content Gateway (Configure > My Proxy > Basic > General).

Optionally, you can configure Content Gateway to allow certain clients to access specific sites on the Internet without being authenticated by the NTLM server; See Access Control).