Forum Discussion
NimbostratusF5 as Transparent HTTP Proxy + NTLM Auth
EmployeeThat's not really how proxy authentication works. Consider the two general types of outbound proxy modes:
-
Explicit - where the client knows about the proxy, and the browser can perform authentication directly to the proxy
-
Transparent - where the client does not know about the proxy
You're running a transparent proxy configuration, in which case the client doesn't know there's a proxy, but is still getting a 401 authorization request for all resource. That explains why internal resources are silently fulfilled via NTLM and external resources are not. The local domain wouldn't be able to NTLM auth to Google. If the proxy was explicit, the browser would handle that in a separate 407-based auth mechanism.
To do authentication with a transparent proxy, you have to redirect the client to some authentication service. Most proxy vendors call this a "virtual URL" or "URL redirect", but F5 calls it a captive portal. On first request, the client will attempt to traverse the proxy, but either won't have a cookie, or the proxy won't have the client's IP mapped to a valid authenticated session, so the proxy will redirect the client to another site. That site will be set up to perform some type of authentication, which could be 401-based (NTLM, Kerberos, Basic), could be SAML, PKI, 2FA, whatever. Once successfully authenticated, the proxy either stores and maps the client's IP to an authentication session, or sends the client back through the proxy with the pieces needed to create a cookie for the requested site.
You can also optionally use the IFMAP "DC agent" option with transparent proxy. It relies on the domain controller to tell you who logged in with a given IP address, so it's less authentication and more identification (and not always reliable).
