Monitor Authenticating proxy

he proxy is telling you that it need the Proxy-Authenticate header. You are going to have to create a customer HTTP monitor, easy way to do this is with curl. If you create a proxy request with curl and use the -v it will out put the HTTP request. You can recreate it request in the HTTP monitor quite easily.

I am also looking for same kind of configuration. please post the configuration if you have implemented this.

Thanks in advance.

Kunal B.

Use curl as suggested by Richard to get the authentication token string. Then create an http monitor with send and receive strings similar to below.

Send String

GET HTTP://www.xxx.co.uk/ HTTP/1.1\r\nProxy-Authorization: Basic String from Curl Test\r\nHost: www.xxx.co.uk\r\nAccept: /\r\nProxy-Connection: Close\r\nConnection: Close\r\n\r\n

Receive string

HTTP/1.1 200 OK

Thanks for the reply Steve.

Can you please explain in details, I am getting below http response from server,

< HTTP/1.1 407 Proxy Authentication Required

< Proxy-Authenticate: NEGOTIATE

< Proxy-Authenticate: NTLM

< Proxy-Authenticate: BASIC realm="IWA_Direct"

< Cache-Control: no-cache

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Proxy-Connection: close

< Set-Cookie: BCSI-CS-7d06572a9586553b=2; Path=/

< Connection: close

< Content-Length: 3500

Also Please confirm do I need to put Username and password also ?

Kunal B

the Curl command should look something like:

curl www.microsoft.com --http1.1 --proxy-ntlm --proxy-user : --proxy http://: -v > .\out.txt

You could use proxy-basic instead of proxy-ntlm depending on auth cversions available

I also created an AD user to authenticate as, which had no permissions on the network except for access to the internet via the proxy, with no password expiry.

Thanks Steve for the reply, I have tried curl as below,

curl http://www.google.com --proxy 89.2.43.110:80 -U r7b:test --proxy-ntlm -v

And found below reply, About to connect() to proxy 89.2.43.110 port 80 (0) * Trying 89.2.43.110... connected * Connected to 89.2.43.110 (89.2.43.110) port 80 (0) * Proxy auth using NTLM with user 'r7b'

GET http://www.google.com HTTP/1.1

Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=

User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5

Host: www.google.com

Accept: /

Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required

< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAACQAJADgAAAAGgokAkREv22yFgKEAAAAAAAAAAIQAhABBAAAABQCTCAAAAA9NR1JPVVBORVQCABIATQBHAFIATwBVAFAATgBFAFQAAQAUAEYARABZAEkATgBFAFQAQgBDADEABAAaAE0ARwBSAE8AVQBQAE4ARQBUAC4AQwBPAE0AAwAwAGYAZAB5AGkAbgBlAHQAYgBjADEALgBtAGcAcgBvAHUAcABuAGUAdAAuAGMAbwBtAAAAAAA=

< Cache-Control: no-cache

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Proxy-Connection: Keep-Alive

< Set-Cookie: BCSI-CS-7d06572a9586553b=2; Path=/

< Connection: Keep-Alive

< Content-Length: 3519

<

• Ignoring the response-body
• Connection 0 to host 89.2.43.110 left intact
• Issue another request to this URL: 'http://www.google.com'
• Re-using existing connection! (0) with host 89.2.43.110
• Connected to 89.2.43.110 (89.2.43.110) port 80 (0)
• Proxy auth using NTLM with user 'r7b'

GET http://www.google.com HTTP/1.1

Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAAAwADAHAAAAAHAAcAcwAAAAAAAAAAAAAABoKJALAR3vHczABkAAAAAAAAAAAAAAAAAAAAAN/jh1Ml/PxUuQAlpK1a3QDWqts1zSHtiHI3YkZEWUxCMTA=

User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5

Host: www.google.com

Accept: /

Proxy-Connection: Keep-Alive

< HTTP/1.1 200 OK

< Date: Thu, 05 Dec 2013 11:27:00 GMT

< Expires: -1

< Cache-Control: private, max-age=0

< Content-Type: text/html; charset=ISO-8859-1

< P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

< Server: gws

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< Alternate-Protocol: 80:quic

< Transfer-Encoding: chunked

< Proxy-Connection: Keep-Alive

< Connection: Keep-Alive

< Set-Cookie: PREF=ID=1442564a06c7befc:FF=0:TM=1386242820:LM=1386242820:S=uEG4ulBH4lbFPP8I; expires=Sat, 05-Dec-2015 11:27:00 GMT; path=/; domain=.google.com

< Set-Cookie: NID=67=mRO5WVD-coHnV6hm7SyyetuTapMZ04xB0_C1lTMT5yRlgKMI1nj_JohiIbFGm_c_eRskjfxeIccejtMzBm99QsxbrZw76pPMHRhnS5qJA859esiqFeHlQ88QBVvd0q_s; expires=Fri, 06-Jun-2014 11:27:00 GMT; path=/; domain=.google.com; HttpOnly

Based on the curl output I have modified monitor with Proxy authorization parameter below is get string,

"GET HTTP://www.google.com/ HTTP/1.1\r\nProxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= \r\nHost: www.google.com\r\nAccept: /\r\nProxy-Connection: Close\r\nConnection: Close\r\n\r\n"

but still Pool members are showing down.

Hello! I'm have the same problem. Is there any solution?

Did anyone find a solution here?

I have gotten this to work myself.

It is because the HTTP monitor relies on receiving a "401 Authenticate" message from the initial BASIC auth request to kick in the NTLM negotiation.

Because proxies respond with a "407 Proxy Authenticate" instead of a 401, the monitor doesn't work.

So I wrote the following external monitor: https://devcentral.f5.com/codeshare/ntlm-authenticated-proxy-external-monitor-1013