Forum Discussion
NimbostratusAPM Explicit Proxy iApp and User Auth
Dear all,
we are using Brett Smith's explicit proxy iApp and are trying to implement
some sort of user authentication to control internet access.
For instance applying such a profile
does not work, the client's browser (IE) is directed immediately to the logout page
WITHOUT showing us the Message Box.
Any hint, idea are welcome!
THX, Rainer
10 Replies
Arnaud_LemaireEmployee
hello, possible explanation :you never ask for ntlm authentication, thus when you check the authentication it's failing ? i think you should have at least a 401 authentication to prompt end user authentication, and eca profile attached to virtual and associated ntlm config in APM
xunil321_122934Arnaud,
 
you are saying to follow Kevin's excellent guide, isn't: 
https://devcentral.f5.com/s/articles/configuring-apm-client-side-ntlm-authentication 
By the way, why is this profile not working: 
Start ---fallback--- Message Box ---fallback--- Deny 
At least i would expect to see the content of the Message Box, which we don't. 
- Arnaud_Lemaire
could you output /var/log/apm to see any error ?
- xunil321_122934
Sorry,
I mean this profile:
Start ---fallback--- Message Box ---fallback--- ALLOW
We see the logout page and no message box output in /var/log/apm - Arnaud_Lemaire
And to respond to your question ntlm auth is a bit tricky, it's running "before" policy evaluation, in case of failure you're drop without going through the VPE.
- xunil321_122934
Now I'm totally confused since we have only applied this VPE
Start ---fallback--- Message Box ---fallback--- ALLOW
There is no ntlm auth defined nevertheless we see the logout page
and no message box output in /var/log/apm
Strange, isn't? - Arnaud_Lemaire
if you setup the ntlm configuration as in Kevins guide, with the eca profile and irule it should trigger authentication on the client side. can you see the ntlm exchange on a pcap or via the browser dev tools ?
- xunil321_122934
What we did at the moment is this:
 
1. Installation of the APM Explicit Proxy iApp 
https://devcentral.f5.com/s/articles/apm-explicit-proxy 
2. Applying this simple profile 
 
3. Nothing else 
At least i would expect to see the content of the Message Box, which we don't. 
We are directing immediately to the logout page. Why? 
- boneyard
MVP
i would have a good look if you configured it all correctly, connected the right access policy, applied the policy, things like that.
which version btw?
- xunil321_122934
Aah now i got it after reading the manual chapter "Explicit Forward proxy"
The iApp mentioned above is creating a tunnel where another virtual server
can be defined to listen on the tunnel for the requested outbound connection
and the system processes the outbound traffic before it leaves the device.
For my further understanding why is a tunnel established by the explicit proxy
I mean where is this tunnel, in the BIG-IP or between BIG-IP and the client or ....
Many thanks for any explanation!
Rainer
