Smoothwall School Guardian NTLM Authentication woes
I'm involved in the backend of a high school IT network, and we have recently deployed Smoothwall School Guardian to our network, and are now getting live usage by staff and students. We opted to use NTLM Authentication along with Active Directory integration as it appeared to be the less intrusive option for general usage on Windows clients. While NTLM is working very well for browsing all around, we are having trouble when it comes to applications that do not support NTLM (GotoAssist in this case, something heavily used in the support of our new MIS).
We have a number of solutions to get around them, but none of them are overly attractive:
* Give the user the ability to directly connect through smoothwall to get at the CachePilot proxy and manually change proxy settings when needed.
* Attempt to add the relevant domains to the "Do not allow authentication for these domains" list (this is currently being tested, but has the potential for security problems).
* Use something such as ProxyCap to NTLM-enable the application. Would cost £20/license and would be troublesome to get an invoice for.
As I understand, NTLM requires authentication for each request (but remembers the user logged in at the IP for firewall rules). SSL login seems to remember the IP/user association for the proxy as well, however cannot be used as the same time as NTLM - and we're keen not to give up the transparency that NTLM offers. A client that runs silently and authenticates users with say Kerberos and maintains a connection to the smoothwall box to identify the user/IP association seems like it would be very useful as an authentication mechanism..
Does anyone else have any experience with the NTLM authentication with smoothwall? Are there anyknown alternatives the solutions I've mentioned above?