For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AceDawg1's avatar
AceDawg1
Icon for Nimbostratus rankNimbostratus
Nov 21, 2016

F5 as Transparent HTTP Proxy + NTLM Auth

Good day F5 Gurus!

 

I've got a setup using the F5 as a transparent HTTP forward proxy. The client requirements include obtaining logon creds without prompting the user for authentication. I was able to get this working using APM (https://devcentral.f5.com/articles/configuring-apm-client-side-ntlm-authentication) but this works only with Intranet sites -- users are prompted for creds when accessing Internet sites. I'd like to transparently obtain user creds using the F5 as a transparent forward proxy when said users go to the Internet.

 

Thank you!

 

BIG-IP Access Policy Manager (APM)
iRules
security

8 Replies

  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Nov 21, 2016

    What is your end goal? Just to authenticate users via NTLM before they go out to the Internet? Do you have URL filtering requirements as well?

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Nov 21, 2016

    What is your end goal? Just to authenticate users via NTLM before they go out to the Internet? Do you have URL filtering requirements as well?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 21, 2016

    That's not really how proxy authentication works. Consider the two general types of outbound proxy modes:

     

    1. Explicit - where the client knows about the proxy, and the browser can perform authentication directly to the proxy

       

    2. Transparent - where the client does not know about the proxy

       

    You're running a transparent proxy configuration, in which case the client doesn't know there's a proxy, but is still getting a 401 authorization request for all resource. That explains why internal resources are silently fulfilled via NTLM and external resources are not. The local domain wouldn't be able to NTLM auth to Google. If the proxy was explicit, the browser would handle that in a separate 407-based auth mechanism.

     

    To do authentication with a transparent proxy, you have to redirect the client to some authentication service. Most proxy vendors call this a "virtual URL" or "URL redirect", but F5 calls it a captive portal. On first request, the client will attempt to traverse the proxy, but either won't have a cookie, or the proxy won't have the client's IP mapped to a valid authenticated session, so the proxy will redirect the client to another site. That site will be set up to perform some type of authentication, which could be 401-based (NTLM, Kerberos, Basic), could be SAML, PKI, 2FA, whatever. Once successfully authenticated, the proxy either stores and maps the client's IP to an authentication session, or sends the client back through the proxy with the pieces needed to create a cookie for the requested site.

     

    You can also optionally use the IFMAP "DC agent" option with transparent proxy. It relies on the domain controller to tell you who logged in with a given IP address, so it's less authentication and more identification (and not always reliable).