For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AceDawg1's avatar
AceDawg1
Icon for Nimbostratus rankNimbostratus
Nov 21, 2016

F5 as Transparent HTTP Proxy + NTLM Auth

Good day F5 Gurus!   I've got a setup using the F5 as a transparent HTTP forward proxy. The client requirements include obtaining logon creds without prompting the user for authentication. I was a...
BIG-IP Access Policy Manager (APM)
iRules
security
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Nov 21, 2016

What is your end goal? Just to authenticate users via NTLM before they go out to the Internet? Do you have URL filtering requirements as well?

 

  • AceDawg1's avatar
    AceDawg1
    Icon for Nimbostratus rankNimbostratus
    Nov 21, 2016

    Hi Michael,

     

    The end goal is to simply auth users via NTLM before they go out to the Internet. There's a Palo Alto performing URL filtering, virus scanning, etc. If not, I would have looked at implementing SWG.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Nov 21, 2016

    In that case, you should setup your policy as Captive Portal per this description:

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-5-0/5.html?sr=59055747

     

    Essentially, your actual policy could almost remain the same, but you need to enable Captive Portal on your Access policy. Also, it may be a bit misleading, but also leave session identification as IP address instead of NTLM credentials, as for transparent portal, that is the only option that can work.