Documentation | Support

Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Configuring browsers for NTLM identification
Configuring browsers for NTLM identification
Deploying an I Series Appliance | Forcepoint Web Security Cloud
This appendix describes how to configure supported Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox for NTLM transparent identification, either manually or via a Group Policy.
Internet Explorer & Google Chrome
 
* 
Note 
The settings in this section will also be applied to a Google Chrome browser on the same machine.
The screenshots in this section are taken from Internet Explorer 11 on Windows 7.
To enable NTLM on a single Internet Explorer browser:
1.
Go to Tools > Internet Options.
2.
Select the Security tab.
3.
Select Local Intranet, then click Sites to open the list of Trusted Sites for the Intranet zone.
4.
For Internet Explorer 8 and above, click Advanced on the window that appears.
5.
Enter the IP address of the B1/B2 bridge interface on your appliance, then click Add.
6.
Clear the Require server verification box.
7.
Click Close.
8.
With Local Intranet still selected, click Custom level.
9.
Scroll down to the User Authentication section, and ensure Automatic logon only in Intranet zone is selected.
10.
Click OK, and exit Internet Options.
Configuring NTLM via Group Policy
To create an NTLM transparent authentication policy using a Group Policy Object (GPO):
1.
Log on to your Active Directory domain controller (DC) using a domain admin account.
2.
Perform the steps listed in Internet Explorer & Google Chrome to enable NTLM in the Internet Explorer or Chrome browser on the DC.
3.
To turn off Internet Explorer Enhanced Security Configuration:
a.
Open Server Manager.
b.
Scroll down to Security Information, and click Configure IE ESC.
c.
Turn ESC Off for administrators and users, and close the window.
4.
Open Group Policy Management.
5.
Right click your domain name (or the OU that contains the end users who will receive this policy), and click Create a GPO in this domain, and link it here.
6.
Give your new policy a name, and click OK.
7.
Right-click your newly-created policy, and select Edit.
8.
Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings.
9.
Select Import the current security zones and privacy settings.
10.
You may receive a warning about Enhanced Security Configuration. This is why the enhanced configuration was disabled in step 3, so that this policy will apply to workstations without enhanced security turned on. Click Continue.
11.
Turn on Enhanced Security Configuration again, and repeat steps 4-9 to create a policy with ESC enabled. This ensures that workstations with either configuration are supported.
12.
Close all open windows.
The changes will take time to replicate though your Active Directory, depending on your setup. This may be from 15 minutes to an hour; if you have a multi-site AD setup, it may take a day or two.
You can then set up a login script that will install the policy when end users log on to their workstations.
This method uses 2 files:
*
login.bat
*
ntlm.reg
The login.bat script contains two lines:
@echo off
regedit /s \\path\ntlm.reg
In the ntlm.reg script, replace <Box IP> with the IP address of your appliance:
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5]
"*"=dword:00000001
":Range"="<Box IP>"
Mozilla Firefox
Deploying an I Series Appliance | Forcepoint Web Security Cloud
 
 
Note 
If you are configuring Firefox v38 or later on Linux, you must perform step 6 in the procedure below to ensure the browser falls back to NTLM v1. This is due to the Linux version having issues with NTLM v2 that can cause authentication failures.
The screenshots in this section are taken from Mozilla Firefox version 40.
To enable NTLM transparent authentication in Firefox:
1.
Open Firefox, and type about:config in the address bar.
2.
Click I'll be careful, I promise! to open the advanced configuration page.
3.
Type ntlm in the Search field.
4.
Select network.ntlm.send-lm-response and double-click it to toggle it to on.
5.
Double-click network.automatic-ntlm-auth-trusted-uris. In the box that appears, enter the IP address of the B1/B2 bridge interface on your appliance, and click OK.
6.
If you are configuring Firefox on a Linux machine, double-click network.auth.force-generic-ntlm-v1.
The Status is changed to user set, and the Value is changed to true.

Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Configuring browsers for NTLM identification
Copyright 2022 Forcepoint. All rights reserved.