Upstream explicit proxy and static NTLM auth
Hi, I need to set static NTLM authentication performed by LTM when sending proxy requests to upstream proxy - is that at all possible? Scenario: LTM working as explicit proxy for internal clients APM profile attached to VS working as explicit proxy should be responsible for AAA and all kind of client checks When user is allowed to access external site request should be send to upstream explicit proxy (no authentication, just some headers added with authentication info) - this is easy part Based on client checks some requests should be redirected to another upstream explicit proxy - this proxy requires NTLM authentication. Static user and password is used for all connections to this proxy Last point is troublemaker here. I have no idea how to implement. My first idea was to use NTLM SSO. This is working for LTM VS type of access. I can set Access Policy to VS that is performing NTLM Auth with some www server (IIS for example). When I tried to use this for VS working as explicit proxy everything fails. There is no way to use SSO on proxy type Access Profiles. I can do that with All or LTM-APM type but in this case first thing what profile is doing is 302 to set APM cookies. At this point browser fails - it sends GET to APM URI and gets 404. I am thinking about implementing iRule that will intercept APM 302, saves cookies in table etc. - just a basic idea, plenty of details to work on. I am even not sure if it's at all possible. My question is if there is better way to implement or if my spoofing idea is workable solution - is that possible to trick APM using iRule created response and client request mods (adding proper cookies to each client request via iRule)? Piotr
Upstream explicit proxy and static NTLM auth
Hi, I need to set static NTLM authentication performed by LTM when sending proxy requests to upstream proxy - is that at all possible? Scenario: LTM working as explicit proxy for internal clients APM profile attached to VS working as explicit proxy should be responsible for AAA and all kind of client checks When user is allowed to access external site request should be send to upstream explicit proxy (no authentication, just some headers added with authentication info) - this is easy part Based on client checks some requests should be redirected to another upstream explicit proxy - this proxy requires NTLM authentication. Static user and password is used for all connections to this proxy Last point is troublemaker here. I have no idea how to implement. My first idea was to use NTLM SSO. This is working for LTM VS type of access. I can set Access Policy to VS that is performing NTLM Auth with some www server (IIS for example). When I tried to use this for VS working as explicit proxy everything fails. There is no way to use SSO on proxy type Access Profiles. I can do that with All or LTM-APM type but in this case first thing what profile is doing is 302 to set APM cookies. At this point browser fails - it sends GET to APM URI and gets 404. I am thinking about implementing iRule that will intercept APM 302, saves cookies in table etc. - just a basic idea, plenty of details to work on. I am even not sure if it's at all possible. My question is if there is better way to implement or if my spoofing idea is workable solution - is that possible to trick APM using iRule created response and client request mods (adding proper cookies to each client request via iRule)? Piotr