Smoothwall School Guardian NTLM Authentication woes
I'm involved in the backend of a high school IT network, and we have recently deployed Smoothwall School Guardian to our network, and are now getting live usage by staff and students. We opted to use NTLM Authentication along with Active Directory integration as it appeared to be the less intrusive option for general usage on Windows clients. While NTLM is working very well for browsing all around, we are having trouble when it comes to applications that do not support NTLM (GotoAssist in this case, something heavily used in the support of our new MIS).
We have a number of solutions to get around them, but none of them are overly attractive:
* Give the user the ability to directly connect through smoothwall to get at the CachePilot proxy and manually change proxy settings when needed.
* Attempt to add the relevant domains to the "Do not allow authentication for these domains" list (this is currently being tested, but has the potential for security problems).
* Use something such as ProxyCap to NTLM-enable the application. Would cost £20/license and would be troublesome to get an invoice for.
As I understand, NTLM requires authentication for each request (but remembers the user logged in at the IP for firewall rules). SSL login seems to remember the IP/user association for the proxy as well, however cannot be used as the same time as NTLM - and we're keen not to give up the transparency that NTLM offers. A client that runs silently and authenticates users with say Kerberos and maintains a connection to the smoothwall box to identify the user/IP association seems like it would be very useful as an authentication mechanism..
Does anyone else have any experience with the NTLM authentication with smoothwall? Are there anyknown alternatives the solutions I've mentioned above?
I've used Schoolguardian with NTLM for a few years now and it does have issues. One of the things they suggested was to use NTLM Identification (Terminal Services compatibility mode) but theres still issues.
Any video site that use media player has issues, most radio stations also so I created a local user manually in the authentication bit and gave out the username and password to staff.
Only problem is that one member of staff who I like uses it to listen to the radio alot and now every site she visits shows up as that username...even when she logs off.
Agree 100% with the kerberos and the dual authentication statements... it would be very very useful if they got it working.
One other thing.. Firefox and Chrome are a bigger pain than IE, firefox won't even go onto facebook for me.
Thank you for your responses. Regretablly the domains that GotoAssist uses isn't plainly obvious, and as such I didn't get far using the domain exception list. However I did discover the exception list/port 801 which is ideal for servers and cases like this (though obviously this raises a security concern for the workstations in question). GotoAssist works fine using port 801 without causing any fuss for the user or IT staff. Using ProxyCap with NTLM for GotoAssist resulted in the regular proxy returning error 403 (on ports 80 and 443, for a user with unfiltered access) which suggests that Smoothwall filtering doesn't like this particular application creating a non-http connection.