Forum Discussion

Andi_102219's avatar
Andi_102219
Icon for Nimbostratus rankNimbostratus
Apr 14, 2011

Kerberos for web proxy clients

Hi folks,   I want to authenticate my web proxy clients with Kerberos as they are using primarily NTLM and that's producing too much overhead in my network and on the DCs.   All the clients are ...
application delivery
dev
devops
iRules
Andi_102219's avatar
Andi_102219
Icon for Nimbostratus rankNimbostratus
Apr 18, 2011
No I don't use an iRule on the GTM. Here the wideIP and pool from the config of my GTM: 

wideip {
   name         "proxyfarm.gtm-domain.net"
   partition "Common"
   pool         "proxyfarm-global"
}

pool {
   name           "proxyfarm-global"
   ttl            30
   preferred      rtt
   alternate      packet_rate
   fallback       qos
   partition "Common"

   member         ltm-site1:84
   member         ltm-site2:84
}
Same is configured for the proxy pac servers. I have a Wide IP proxyconf.gtm-domain.net which is balancing with the same method to my LTMs.

Here some parts from my LTM config: 

virtual proxy-uba {
   pool proxy-uba
   destination V-IP:84
   ip protocol tcp
   profiles fastL4
   persist source_addr
}
pool proxy-uba {
   lb method least conn
   action on svcdown reselect
   monitor all isa_85
   members
      member1:85
      member2:85
      member3:85
      member4:85
      member5:85
      member6:85
      member7:85
}

virtual proxyconf.gtm-domain.net {
   pool proxyconf
   destination V-IP:http
   ip protocol tcp
}
pool proxyconf {
   lb method least conn
   action on svcdown reselect
   monitor all proxyconf_84
   members
      member1:84
      member2:84
}

Please let me know if you have an idea or need further details.

Maybe there is a chance/way to create an iRule on the LTMs to make Kerberos authentication possible as the clients

are passing the LTMs for fetching the PAC file and getting to the Internet over the proxies.