Internet Related/Filtering/Firewall Thread, Smoothwall School Guardian NTLM Issues in Technical; We have smoothwall School Guardian and I have a couple of issues that I was wondering how other people using ...
29th June 2010, 11:26 AM #1
Smoothwall School Guardian NTLM Issues
We have smoothwall School Guardian and I have a couple of issues that I was wondering how other people using the product are getting around.
1. We use NTLM Authentication as our primary and only authentication method which works well for HTTP access of websites, however we are finding that if a user receives a link in an email which is HTTPS when the user clicks the link they are getting a “page cannot be displayed” error as they are not logged into the proxy. This seems to be as NTLM only allows HTTP requests as their first page. I tell them to open up Google or something similar first and once they are logged in they don’t have that issue, but telling 2500 people the same thing day in day out is not fun. Is there a known work around for this?
2. Also a related issue with HTTPS websites is if they are taking longer than the log out time (currently 10 minutes) to complete a form for example when they click submit all their work is lost as they are logged out and get another “page cannot be displayed” error. This annoys them greatly when I tell them to open up Google and then go on their HTTPS form and fill it out in less than 10 minutes. If I increase the log out time this then means if they access the Internet log off the machine and a new user logs in they get the last persons access levels for that period of time, Not good.
If anyone has any suggestions on how to improve or solve these issues I would be very grateful.
30th June 2010, 08:18 AM #2
#1 can probably only be solved by turning on HTTPS MITM. #2 sounds bug-ish.
Do fire me an email about this and i will take it up with Dev when i am not in denver, or half-cut (I am both, presently!)
5th July 2010, 03:33 PM #3
I have sent you an email regarding the issues last week, but from speaking to someone in support at smoothwall today I don’t know if it is possible to sort this out. From what they were saying it is a timeout issue which would only be sorted out by increasing the timeout of a user but then my biggest issue with this is getting the wrong privileges when someone else logs on.
Do you know of any authentication of identification method that does not prompt the user to logon, will record their windows domain login username and will work with all HTTP / HTTPS websites without any time issues or timeout periods and ideally would allow a HTTPS website to be their first page.
These issues are making me seriously consider moving away from smoothwall and taking back up a product such as Inty which had a client on the local machine which we had no browsing issues. With more and more websites using HTTPS as their main page I.E job sites and university applications where people need to spend time filling out forms this is causing us serious headaches and without putting proxy exceptions for each site I do not know how we can solve this issue.
5th July 2010, 03:45 PM #4
SW supports Ident (which is probably what Inty used), but it's not secure and easy to spoof.
5th July 2010, 03:48 PM #5
I was thinking about using Ident, but from the sounds of it, the person I spoke to today said that this would have the same issues with the timeout period. Do you know if this is the case?
5th July 2010, 05:54 PM #6
Don't suppose you've got transparent filtering enabled have you (Guardian > Proxy > Web Proxy towards the top). If you're filtering explicitly (i.e. setting browser proxy settings) try turning transparent off, it may help you out as NTLM is performed a little bit differently.
5th July 2010, 08:06 PM #7
Chris - sorry for not getting back to you - Denver has really knocked me for 6. Still catching up with emails and stuff. Try RF's suggestion, and i'll try and fit in a word with a few people about it, see what I can find over the next few days.
6th July 2010, 10:02 AM #8
Thanks Rob this option worked a treat; I really wish I have found this out earlier. I turned transparency off last night and test out both of my above issues and both work amazing well now. HTTPS can be used as the first page and no time out issues or wrong person authentication. WOW!
I have had to turn it back on for the moment as we have a third interface installed within Smoothwall for our wireless system which relies on the SSL Login redirect port option if NTLM is not available I.E a laptop is off the domain, but this only works with the transparency turned on. I am now going to look into using dual authentication with transparency is turned off and using smoothwall DHCP to give a automaticic proxy config URL for the laptops. I hope this will work has a anyone tried this before?
6th July 2010, 10:15 AM #9
Excellent - the thing is that in transparent mode the Smoothie has to be a bit more "aggressive" with how it checks peoples credentials, which although shouldn't cause issues like this (we'll still look into it) can change NTLM's behaviour a little.
Auto proxy config with laptops should be fine, you might want to set "wpad.yourdomain.local" in your local DNS to be the smoothie's IP as some browsers will use this to find the proxy... this may also rely on DHCP passing "yourdomain.local" as a DNS search suffix.
New filtering engine due out late this summer should allow you to do transparency per-interface, as well as generally tweaking the whole NTLM process, so look forward to that! (I am :-) )
6th July 2010, 11:01 AM #10
Thanks for your help its been great. I will try playing around with different authentication types together tonight and see what works. I remember last time when setting up NTML authentication on the second port that you had to have transparency option ticked, but as you say there is a update coming out where you can turn this off on certain ports that would be amazing and I might just wait.
6th July 2010, 04:50 PM #11
Yeah, you need transparent ticked to do NTLM in multiport auth, but that will change soon, when we don't have to do different auth types in different places.
Thinking about #2. I now realise why it does this - it is an artefact of how transparent NTLM login works - it needs to slip in a page redirect, which it can't in HTTPS, so if your last request was HTTPS, then you'd already be eating in to your cached login time. Opening another (HTTP) page during your form filling should help. Turning on HTTPS interception might cause a re-auth when they submit the form, and so solve the problem entirely, but I don't know for sure.
They're both the same issue. Why it took me so long to work this out I will never know
(And this issue WILL be fixed for non-transparent NTLM users who wish to do multi-port in the next guardian release, as "normal" NTLM re-auths with the proxy on both HTTPS and HTTP connections)
6th July 2010, 05:27 PM #12
Thanks for the info Tom, did you say the next guardian release is due in the summer of this year or is it too earlier for time scales? I am just thinking about what setup to use for the new school year in September. Thanks again.
6th July 2010, 06:03 PM #13
Chris - more like autumn half term. Certainly a bit too late to get it in and tested for mid september I would have thought
7th December 2010, 01:22 PM #14
For attention of Tom Newton
Any news on when the update mentioned above is going to be available?
7th December 2010, 01:24 PM #15
Still in test unfortunately. Few unforseen issues Should be out in January - we'll be showing it at BETT if you're there.
By TheFopp in forum Internet Related/Filtering/Firewall
Last Post: 16th March 2010, 08:02 PM
By karlr in forum Internet Related/Filtering/Firewall
Last Post: 15th September 2009, 02:04 PM
By j17sparky in forum Internet Related/Filtering/Firewall
Last Post: 25th June 2009, 02:04 PM
Last Post: 25th July 2008, 03:07 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread