Upstream explicit proxy and static NTLM auth

Hi,

 

I need to set static NTLM authentication performed by LTM when sending proxy requests to upstream proxy - is that at all possible?

 

Scenario:

 

• LTM working as explicit proxy for internal clients
• APM profile attached to VS working as explicit proxy should be responsible for AAA and all kind of client checks
• When user is allowed to access external site request should be send to upstream explicit proxy (no authentication, just some headers added with authentication info) - this is easy part
• Based on client checks some requests should be redirected to another upstream explicit proxy - this proxy requires NTLM authentication. Static user and password is used for all connections to this proxy

Last point is troublemaker here.

 

I have no idea how to implement. My first idea was to use NTLM SSO. This is working for LTM VS type of access. I can set Access Policy to VS that is performing NTLM Auth with some www server (IIS for example).

 

When I tried to use this for VS working as explicit proxy everything fails.

 

There is no way to use SSO on proxy type Access Profiles. I can do that with All or LTM-APM type but in this case first thing what profile is doing is 302 to set APM cookies.

 

At this point browser fails - it sends GET to APM URI and gets 404.

 

I am thinking about implementing iRule that will intercept APM 302, saves cookies in table etc. - just a basic idea, plenty of details to work on. I am even not sure if it's at all possible.

 

My question is if there is better way to implement or if my spoofing idea is workable solution - is that possible to trick APM using iRule created response and client request mods (adding proper cookies to each client request via iRule)?

 

Piotr