Explicit proxy and client NTLM

Hi,

Unfortunately I can't make it work. I have all machine and NTLN Auth configured - seems to be working for me. Machine account created, NTML Auth Configuration with correct data. When it's updated I can see in Wireshark communication with AD server looking like successful verification of account configured as machine account.

I have explicit proxy VSs configured - they are working OK when Access Profile with Basic authentication is used.

When Access Profile that should use NTLM is assigned to those VSs I have no luck in accessing any page. Looking at http communication on the client computer (user logged to domain) there are two 407 responses, transaction looks like that:

• first GET for external site
• HTTP/1.1 407 Proxy Authentication Required
• GET with NTLMSSP_CHALLENGE
• HTTP/1.1 407 Proxy Authentication Required
• GET with NTLMSSP_AUTH, User: TEST\user - it's the same as user logged into computer
• HTTP/1.0 302 Found, Server: BigIP, Location: /my.logout.php3?errorcode=22

I can't see any trace of user session in Manage Sessions, there are no entries in Access Policy >> Event Logs >> Access System Logs All Session report (logging profile has debug set for all categories in Access System Logs). I am not sure if same messages are logged in /var/log/apm - here nothing as well. In Wireshark on AD I can see DCERPC request and response - but don't know NTLM protocol so good to figure out if it's success or not.

My Access Profile is set to:

• Profile Type: SWG-Explicit
• User Identification Method: tried both IP and Credentials
• NTLM Auth Configuration: my configuration

Access Policy looks like on screen:

I tried one with HTTP 407 Response set to negotiate, and NTLM Auth Result attached to negotiate branch.

On the client side http exchange seems to be identical no matter what options I use.