+ Post New Thread
Results 1 to 5 of 5
Internet Related/Filtering/Firewall Thread, Smoothwall School Guardian NTLM Authentication woes in Technical; ...
  1. #1

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Smoothwall School Guardian NTLM Authentication woes

    I'm involved in the backend of a high school IT network, and we have recently deployed Smoothwall School Guardian to our network, and are now getting live usage by staff and students. We opted to use NTLM Authentication along with Active Directory integration as it appeared to be the less intrusive option for general usage on Windows clients. While NTLM is working very well for browsing all around, we are having trouble when it comes to applications that do not support NTLM (GotoAssist in this case, something heavily used in the support of our new MIS).

    We have a number of solutions to get around them, but none of them are overly attractive:

    * Give the user the ability to directly connect through smoothwall to get at the CachePilot proxy and manually change proxy settings when needed.

    * Attempt to add the relevant domains to the "Do not allow authentication for these domains" list (this is currently being tested, but has the potential for security problems).

    * Use something such as ProxyCap to NTLM-enable the application. Would cost £20/license and would be troublesome to get an invoice for.

    As I understand, NTLM requires authentication for each request (but remembers the user logged in at the IP for firewall rules). SSL login seems to remember the IP/user association for the proxy as well, however cannot be used as the same time as NTLM - and we're keen not to give up the transparency that NTLM offers. A client that runs silently and authenticates users with say Kerberos and maintains a connection to the smoothwall box to identify the user/IP association seems like it would be very useful as an authentication mechanism..

    Does anyone else have any experience with the NTLM authentication with smoothwall? Are there anyknown alternatives the solutions I've mentioned above?

    Best wishes,

    Karl

  2. #2

    Join Date
    Nov 2005
    Location
    North
    Posts
    1,842
    Thank Post
    25
    Thanked 91 Times in 71 Posts
    Rep Power
    51
    I've used Schoolguardian with NTLM for a few years now and it does have issues. One of the things they suggested was to use NTLM Identification (Terminal Services compatibility mode) but theres still issues.

    Any video site that use media player has issues, most radio stations also so I created a local user manually in the authentication bit and gave out the username and password to staff.

    Only problem is that one member of staff who I like uses it to listen to the radio alot and now every site she visits shows up as that username...even when she logs off.

    Agree 100% with the kerberos and the dual authentication statements... it would be very very useful if they got it working.

    One other thing.. Firefox and Chrome are a bigger pain than IE, firefox won't even go onto facebook for me.

  3. #3

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,363
    Thank Post
    1,500
    Thanked 1,054 Times in 923 Posts
    Rep Power
    303
    I use NTLM Identification and that seems fine for us, a few sites such as iplayer and 4OD are a bit glitchy tbh but its nothing that the do not authenticate cannot solve.

    I'm sure if you contact the support team at Smoothwall they will happily look into it and work with you to resolve it as they are a very good bunch of people.

  4. #4


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,479
    Thank Post
    867
    Thanked 852 Times in 673 Posts
    Rep Power
    197
    Try "do not authenticate for" (it's in guardian/authentication/settings) for the upstream sites in question. That *should* sort it.

  5. #5

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thank you for your responses. Regretablly the domains that GotoAssist uses isn't plainly obvious, and as such I didn't get far using the domain exception list. However I did discover the exception list/port 801 which is ideal for servers and cases like this (though obviously this raises a security concern for the workstations in question). GotoAssist works fine using port 801 without causing any fuss for the user or IT staff. Using ProxyCap with NTLM for GotoAssist resulted in the regular proxy returning error 403 (on ports 80 and 443, for a user with unfiltered access) which suggests that Smoothwall filtering doesn't like this particular application creating a non-http connection.

SHARE:
+ Post New Thread

Similar Threads

  1. Whats the difference between Network Guardian And School Guardian? (smoothwall)
    By j17sparky in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 25th June 2009, 01:04 PM
  2. Smoothwall - Mac's NTLM Authentication
    By linkazoid in forum Mac
    Replies: 7
    Last Post: 20th May 2009, 09:54 AM
  3. Smoothwall - School Guardian Eval
    By Macinator in forum Internet Related/Filtering/Firewall
    Replies: 11
    Last Post: 17th February 2009, 03:11 PM
  4. School Guardian 2008 and ntlm
    By DMcCoy in forum *nix
    Replies: 13
    Last Post: 25th July 2008, 02:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •