+ Post New Thread
Results 1 to 15 of 15
Internet Related/Filtering/Firewall Thread, Smoothwall School Guardian NTLM Issues in Technical; ...
  1. #1
    lmgtfy's Avatar
    Join Date
    Feb 2010
    Posts
    263
    Thank Post
    43
    Thanked 26 Times in 22 Posts
    Rep Power
    43

    Smoothwall School Guardian NTLM Issues

    We have smoothwall School Guardian and I have a couple of issues that I was wondering how other people using the product are getting around.

    1. We use NTLM Authentication as our primary and only authentication method which works well for HTTP access of websites, however we are finding that if a user receives a link in an email which is HTTPS when the user clicks the link they are getting a “page cannot be displayed” error as they are not logged into the proxy. This seems to be as NTLM only allows HTTP requests as their first page. I tell them to open up Google or something similar first and once they are logged in they don’t have that issue, but telling 2500 people the same thing day in day out is not fun. Is there a known work around for this?

    2. Also a related issue with HTTPS websites is if they are taking longer than the log out time (currently 10 minutes) to complete a form for example when they click submit all their work is lost as they are logged out and get another “page cannot be displayed” error. This annoys them greatly when I tell them to open up Google and then go on their HTTPS form and fill it out in less than 10 minutes. If I increase the log out time this then means if they access the Internet log off the machine and a new user logs in they get the last persons access levels for that period of time, Not good.

    If anyone has any suggestions on how to improve or solve these issues I would be very grateful.

    Thanks

    Chris

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,491
    Thank Post
    868
    Thanked 855 Times in 675 Posts
    Rep Power
    197
    #1 can probably only be solved by turning on HTTPS MITM. #2 sounds bug-ish.
    )
    Do fire me an email about this and i will take it up with Dev when i am not in denver, or half-cut (I am both, presently!)

  3. #3
    lmgtfy's Avatar
    Join Date
    Feb 2010
    Posts
    263
    Thank Post
    43
    Thanked 26 Times in 22 Posts
    Rep Power
    43
    Hi Tom,

    I have sent you an email regarding the issues last week, but from speaking to someone in support at smoothwall today I don’t know if it is possible to sort this out. From what they were saying it is a timeout issue which would only be sorted out by increasing the timeout of a user but then my biggest issue with this is getting the wrong privileges when someone else logs on.

    Do you know of any authentication of identification method that does not prompt the user to logon, will record their windows domain login username and will work with all HTTP / HTTPS websites without any time issues or timeout periods and ideally would allow a HTTPS website to be their first page.

    These issues are making me seriously consider moving away from smoothwall and taking back up a product such as Inty which had a client on the local machine which we had no browsing issues. With more and more websites using HTTPS as their main page I.E job sites and university applications where people need to spend time filling out forms this is causing us serious headaches and without putting proxy exceptions for each site I do not know how we can solve this issue.

    Thanks again

    Chris

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,704
    Thank Post
    285
    Thanked 788 Times in 615 Posts
    Rep Power
    226
    SW supports Ident (which is probably what Inty used), but it's not secure and easy to spoof.

  5. #5
    lmgtfy's Avatar
    Join Date
    Feb 2010
    Posts
    263
    Thank Post
    43
    Thanked 26 Times in 22 Posts
    Rep Power
    43
    Hi Pete,

    I was thinking about using Ident, but from the sounds of it, the person I spoke to today said that this would have the same issues with the timeout period. Do you know if this is the case?

    Thanks

  6. #6

    rob_f's Avatar
    Join Date
    May 2008
    Location
    Leeds
    Posts
    232
    Thank Post
    16
    Thanked 76 Times in 58 Posts
    Rep Power
    26
    Don't suppose you've got transparent filtering enabled have you (Guardian > Proxy > Web Proxy towards the top). If you're filtering explicitly (i.e. setting browser proxy settings) try turning transparent off, it may help you out as NTLM is performed a little bit differently.

  7. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,491
    Thank Post
    868
    Thanked 855 Times in 675 Posts
    Rep Power
    197
    Chris - sorry for not getting back to you - Denver has really knocked me for 6. Still catching up with emails and stuff. Try RF's suggestion, and i'll try and fit in a word with a few people about it, see what I can find over the next few days.

  8. #8
    lmgtfy's Avatar
    Join Date
    Feb 2010
    Posts
    263
    Thank Post
    43
    Thanked 26 Times in 22 Posts
    Rep Power
    43
    Thanks Rob this option worked a treat; I really wish I have found this out earlier. I turned transparency off last night and test out both of my above issues and both work amazing well now. HTTPS can be used as the first page and no time out issues or wrong person authentication. WOW!

    I have had to turn it back on for the moment as we have a third interface installed within Smoothwall for our wireless system which relies on the SSL Login redirect port option if NTLM is not available I.E a laptop is off the domain, but this only works with the transparency turned on. I am now going to look into using dual authentication with transparency is turned off and using smoothwall DHCP to give a automaticic proxy config URL for the laptops. I hope this will work has a anyone tried this before?

    Thanks again

    Chris

  9. #9

    rob_f's Avatar
    Join Date
    May 2008
    Location
    Leeds
    Posts
    232
    Thank Post
    16
    Thanked 76 Times in 58 Posts
    Rep Power
    26
    Excellent - the thing is that in transparent mode the Smoothie has to be a bit more "aggressive" with how it checks peoples credentials, which although shouldn't cause issues like this (we'll still look into it) can change NTLM's behaviour a little.

    Auto proxy config with laptops should be fine, you might want to set "wpad.yourdomain.local" in your local DNS to be the smoothie's IP as some browsers will use this to find the proxy... this may also rely on DHCP passing "yourdomain.local" as a DNS search suffix.

    New filtering engine due out late this summer should allow you to do transparency per-interface, as well as generally tweaking the whole NTLM process, so look forward to that! (I am :-) )

  10. #10
    lmgtfy's Avatar
    Join Date
    Feb 2010
    Posts
    263
    Thank Post
    43
    Thanked 26 Times in 22 Posts
    Rep Power
    43
    Thanks for your help its been great. I will try playing around with different authentication types together tonight and see what works. I remember last time when setting up NTML authentication on the second port that you had to have transparency option ticked, but as you say there is a update coming out where you can turn this off on certain ports that would be amazing and I might just wait.

    Thanks again

  11. #11


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,491
    Thank Post
    868
    Thanked 855 Times in 675 Posts
    Rep Power
    197
    Yeah, you need transparent ticked to do NTLM in multiport auth, but that will change soon, when we don't have to do different auth types in different places.

    Thinking about #2. I now realise why it does this - it is an artefact of how transparent NTLM login works - it needs to slip in a page redirect, which it can't in HTTPS, so if your last request was HTTPS, then you'd already be eating in to your cached login time. Opening another (HTTP) page during your form filling should help. Turning on HTTPS interception might cause a re-auth when they submit the form, and so solve the problem entirely, but I don't know for sure.

    They're both the same issue. Why it took me so long to work this out I will never know

    (And this issue WILL be fixed for non-transparent NTLM users who wish to do multi-port in the next guardian release, as "normal" NTLM re-auths with the proxy on both HTTPS and HTTP connections)

  12. #12
    lmgtfy's Avatar
    Join Date
    Feb 2010
    Posts
    263
    Thank Post
    43
    Thanked 26 Times in 22 Posts
    Rep Power
    43
    Thanks for the info Tom, did you say the next guardian release is due in the summer of this year or is it too earlier for time scales? I am just thinking about what setup to use for the new school year in September. Thanks again.

  13. #13


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,491
    Thank Post
    868
    Thanked 855 Times in 675 Posts
    Rep Power
    197
    Chris - more like autumn half term. Certainly a bit too late to get it in and tested for mid september I would have thought

  14. #14
    lmgtfy's Avatar
    Join Date
    Feb 2010
    Posts
    263
    Thank Post
    43
    Thanked 26 Times in 22 Posts
    Rep Power
    43

    For attention of Tom Newton

    Any news on when the update mentioned above is going to be available?

    Cheers

  15. #15


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,491
    Thank Post
    868
    Thanked 855 Times in 675 Posts
    Rep Power
    197
    Still in test unfortunately. Few unforseen issues Should be out in January - we'll be showing it at BETT if you're there.



SHARE:
+ Post New Thread

Similar Threads

  1. Smoothwall - more authentication issues for School Guardian
    By TheFopp in forum Internet Related/Filtering/Firewall
    Replies: 8
    Last Post: 16th March 2010, 08:02 PM
  2. Smoothwall School Guardian NTLM Authentication woes
    By karlr in forum Internet Related/Filtering/Firewall
    Replies: 4
    Last Post: 15th September 2009, 02:04 PM
  3. Whats the difference between Network Guardian And School Guardian? (smoothwall)
    By j17sparky in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 25th June 2009, 02:04 PM
  4. School Guardian 2008 and ntlm
    By DMcCoy in forum *nix
    Replies: 13
    Last Post: 25th July 2008, 03:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •