Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Legacy NTLM authentication
Help | Content Gateway | v8.5.x
Content Gateway supports the NTLM (NT LAN Manager) authentication protocol as a method of ensuring that users in a Windows network are authenticated before they access the Internet.
 
Important 
 
Important 
When the Legacy NTLM option is enabled, the proxy challenges users who request content for proof of their credentials. The proxy then sends the proof of the user's credentials directly to the Windows domain controller to be validated. If the credentials are valid, the proxy serves the requested content and stores the credentials in the NTLM cache for future use. If the credentials are not valid, the proxy sends an authentication failed message.
Restrictions:
1.
WINS resolution is not supported. Domain controllers must have host names that can be resolved by a DNS server.
2.
Extended security is not supported and cannot be enabled on the domain controller.
3.
NTLM2 session security is not supported and cannot be enabled on clients. In the Security Settings area of the Windows operating system, inspect the Network Security: Minimum session security settings.
4.
NTLMv2 is not supported with Active Directory 2008. The required Network Security: LAN Manager Authentication setting is described in step 5 of Configuring NTLM proxy authentication, below.
5.
If you are using Legacy NTLM with rule-based authentication, see Rule-Based Authentication, for configuration steps.
Configuring Legacy NTLM authentication
1.
Go to Configure > My Proxy > Basic > General.
2.
In the Authentication section, click Legacy NTLM On, and click Apply.
3.
4.
Go to Configure > Security > Access Control > Legacy NTLM.
5.
In the Domain Controller Hostnames field, enter the hostname of the primary domain controller, followed, optionally, by a comma separated list of backup domain controllers. The format of the hostname must be:
host_name[:port][%netbios_name]
or
IP_address[:port][%netbios_name]
 
Note 
If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445. If you do not use port 445, you must ensure that the Windows Network File Sharing service is running on the Active Directory server. See your Windows Server 2008 documentation for details.
 
Note 
If you are using Active Directory 2008, in the Windows Network Security configuration, LAN Manager Authentication level must be set to Send NTLM response only. See your Windows Server 2008 documentation for details.
6.
Enable Load Balancing if you want the proxy to balance the load when sending authentication requests to multiple domain controllers.
 
Note 
7.
Click Apply and restart Content Gateway (Configure > My Proxy > Basic > General).
Optionally, you can configure Content Gateway to allow certain clients to access specific sites on the Internet without being authenticated by the NTLM server; See Access Control).

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2020 Forcepoint. All rights reserved.