Hot!Explicit Proxy and NTLM

Author
moby
Silver Member
  • Total Posts : 65
  • Scores: 2
  • Reward points: 0
  • Joined: 2004/08/20 15:07:52
  • Status: offline
2019/01/22 12:55:25 (permalink)
0

Explicit Proxy and NTLM

Hi All,
 
I have a scenario where I need to use the Explicit proxy and NTLM authentication. We are replacing another web proxy solution that is currently doing this. The authentication needs to be transparent and current is, so the browsers are configured to provide authentication responses already.
 
We are currently using FortiOS 5.4.
 
I have read some posts which seem to suggest that we require Fortigate/LDAP and FSSO  - -but i am confused as to why we would need an FSSO collector in this setup.
 
Would the explicit proxy not just challenge the user browser and then based on the username returned perform an LDAP query to get the user/group membership details and then check the proxy policies?
 
Is an FSSO collector required in this setup and if so why?
 
Thanks, Moby.
#1

16 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Explicit Proxy and NTLM 2019/01/22 14:56:39 (permalink)
    0
    I think FSSO just make this  much easier  but I'm curious as to what you come up with? I believe www ntlm is supported now and in explicit proxy, I would love to see it working. We have the same requirement btw
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    James_G
    Silver Member
    • Total Posts : 82
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/22 15:06:29 (permalink)
    0
    Hi,

    I configured an explicit proxy with ntlm auth today, works really well. I have 6.0.4 on the unit I was testing this with, any chance you are going to upgrade?

    The reason I went for ntlm was I'm using a citrix environment and fsso dc polling cannot identify users without extra agent software on hosts, I would rather no agent.
    #3
    James_G
    Silver Member
    • Total Posts : 82
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 02:46:43 (permalink)
    0
    Some config if it helps:
     
    config user ldap
    edit "DC01"
    set server "10.10.10.10"
    set cnid "cn"
    set dn "dc=domain,dc=local"
    set type regular
    set username "domain\\user"
    set password ENC xxxxxxxxxxxxxxxxxxxx
    set port 3268
    next
    end
    config user domain-controller
    edit "domain.local"
    set ip-address 10.10.10.10
    set domain-name "domain.local"
    set ldap-server "DC01"
    next
    end
    config user group
    edit "SSO_Guest_Users"
    next
    edit "All Staff"
    set member "DC01"
    config match
    edit 1
    set server-name "DC01"
    set group-name "CN=Domain Users,CN=Users,DC=domain,DC=local"
    next
    end
    next
    end
    config authentication scheme
    edit "domain.local"
    set method ntlm
    set domain-controller "domain.local"
    next
    end
    config authentication rule
    edit "domain.local"
    set srcaddr "all"
    set ip-based disable
    set active-auth-method "domain.local"
    set web-auth-cookie enable
    next
    end
    #4
    moby
    Silver Member
    • Total Posts : 65
    • Scores: 2
    • Reward points: 0
    • Joined: 2004/08/20 15:07:52
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 02:52:36 (permalink)
    0
    Hi,
     
    Thanks for the responses. James, do you have any FSSO polling at all? or are you just using the LDAP and domain controller configuration as you have shown?
     
    I will see if I can get it working on 5.4.10 but if not then will upgrade to 6.0.4
     
    Thanks, Moby.
    #5
    James_G
    Silver Member
    • Total Posts : 82
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 03:01:15 (permalink)
    0
    No FSSO polling configured anywhere - just NTLM then LDAP lookup
    #6
    Fishbone_FTNT
    Gold Member
    • Total Posts : 57
    • Scores: 27
    • Reward points: 0
    • Joined: 2015/02/02 02:13:08
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 08:28:54 (permalink)
    0
    Hi all,
    James is actually using agentless NTLM (config user domain-controller), which is a new feature in 6.0 (it's there since 6.0.1 to be precise).

    Another possibility, besides of FSSO/NTLM or agentless NTLM solutions, could be Kerberos with explicit proxy, which is capable of NTLM fallback, if configured that way.
    Fishbone)(
    #7
    moby
    Silver Member
    • Total Posts : 65
    • Scores: 2
    • Reward points: 0
    • Joined: 2004/08/20 15:07:52
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 10:26:51 (permalink)
    5 (1)
    Hi All,
     
    I upgraded a test 60D to 6.0.4 and attempted to set this up, but it is not working so far so i expect I have done something wrong.
    When testing using chrome browser and going to www,fortinet.com i get the error message "access denied the page you requested has been blocked by a firewall policy restriction"
     
    I have attached some of my config below -- any ideas?
     
    Thanks, Moby.
     
    config user ldap
    edit "LDAPUK"
    set server "10.200.200.101"
    set cnid "sAMAccountName"
    set dn "OU=Mynet,DC=Mynet,DC=local"
    set type regular
    set username "CN=xxxxxx,OU=Global Users,OU=MyNET,DC=Mynet,DC=local"
    set password ENC hxxJicK2MzMgoi/h4U85ODrRDIyUSXVhgd2WfQyLtCBGcSkU0Au/IuQwZtjgqWa+bVPd68owRIbg8+YYsXLIpnrScnRlkoX/tz3K+xu6FkCq99mRq79729oz+eYuH3WxVRMum/qpGsum59RN2mvWU2lFBZ9WLjx/ihvBeMMtvZ0DBD9Z1mMnLa7VOqMxw6reHkYmIQ==
    next
    end
    config user domain-controller
    edit "mynet.local"
    set ip-address 10.200.200.101
    set domain-name "mynet.local"
    set ldap-server "LDAPUK"
    next
    end
    config user group
    edit "SSO_Guest_Users"
    next
    edit "Guest-group"
    set member "guest"
    next
    edit "ALL_STAFF"
    set member "LDAPUK"
    config match
    edit 1
    set server-name "LDAPUK"
    set group-name "CN=Domain Users,CN=Users,DC=domain,DC=local"
    next
    end
    next
    end

    config authentication scheme
    edit "mynet.local"
    set method ntlm
    set domain-controller "mynet.local"
    next
    end

    config authentication rule
    edit "mynet.local"
    set srcaddr "all"
    set ip-based disable
    set active-auth-method "mynet.local"
    set web-auth-cookie enable
    next
    end

    config firewall proxy-policy
    edit 1
    set uuid 7726beba-1f2a-51e9-6d4b-09ab9eb7ffed
    set proxy explicit-web
    set dstintf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set service "Proxy HTTP" "Proxy HTTPS"
    set action accept
    set schedule "always"
    set logtraffic all
    set groups "ALL_STAFF"
    next
    end
    #8
    Fishbone_FTNT
    Gold Member
    • Total Posts : 57
    • Scores: 27
    • Reward points: 0
    • Joined: 2015/02/02 02:13:08
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 10:37:15 (permalink)
    0
    Hi Moby,
    config looks good, just custom services  "Proxy HTTP" "Proxy HTTPS" look quite suspicious. Could you test with default "webproxy"?
     
    Fishbone)(
    #9
    moby
    Silver Member
    • Total Posts : 65
    • Scores: 2
    • Reward points: 0
    • Joined: 2004/08/20 15:07:52
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 13:02:33 (permalink)
    0
    Hi Fishbone,
     
    That is one thing i found that was strange - when i created the proxy policy it would not let me select any service. The only way I could select a service was to create new ones where the service type was "Explicit Proxy" then I was able to select them in the proxy policy - -see below from the CLI where i am editing the policy:
     
    config firewall proxy-policy
    edit 1
    set uuid 7726beba-1f2a-51e9-6d4b-09ab9eb7ffed
    set proxy explicit-web
    set dstintf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set service "Proxy HTTP" "Proxy HTTPS"
    set action accept
    set schedule "always"
    set logtraffic all
    set groups "ALL_STAFF"
    next
    end
    FGT60D4613058466 (1) # set service
    *name Service name.
    Proxy HTTP custom
    Proxy HTTPS custom
     
    The only ones available are those two that I created:
     
    edit "Proxy HTTP"
    set proxy enable
    set protocol ALL
    set tcp-portrange 80
    next
    edit "Proxy HTTPS"
    set proxy enable
    set protocol ALL
    set tcp-portrange 443
     
    Moby
    #10
    James_G
    Silver Member
    • Total Posts : 82
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 13:34:30 (permalink)
    0
    Can you select 'all' for testing?
    #11
    moby
    Silver Member
    • Total Posts : 65
    • Scores: 2
    • Reward points: 0
    • Joined: 2004/08/20 15:07:52
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/23 13:46:12 (permalink)
    0
    Hi James,
    I will try that tomorrow. I also think it may be some settings on the DC that need to be changed. I tried some debug like diag debug app authd -1 and diag debug app fnbamd -1 but it didn't show anything useful.
     
    Does anyone know if we can test the NTLM between the fortigate and the DC with a test command?
     
    Like you can with diag test authserver ldap
     
    Thanks, Moby.
    #12
    moby
    Silver Member
    • Total Posts : 65
    • Scores: 2
    • Reward points: 0
    • Joined: 2004/08/20 15:07:52
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/24 05:30:44 (permalink)
    0
    Hi All,
    Many thanks for all of your feedback - -It is now working. I have a couple more questions that someone may be able to help with:
     
    What is the authentication timeout time and method  - -can it be changed?
    I want to add a second domain controller to the config - -do you just add a second one- -if so which one will the Fortigate use as primary?
     
    Thanks, Moby.
    #13
    James_G
    Silver Member
    • Total Posts : 82
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/24 10:43:04 (permalink)
    0
    I was thinking of trying a loobback to a load balanced virtual server, with ping health check to the real servers (the domain controllers). I use loobback vservers elsewhere on the fortigate, need to have nat enabled, but they work.

    Ie if your internal fgt interface is x.x.x.1 and dc are x.x.x.10 and x.x.x.11, create vservers on fgt with external ip as x.x.x.12, real servers .10 and .11, then policy with internal as both source and dest, as long as you source nat on policy to .12 it seems to work.

    Hope my ramble makes sense. Do that for ldap address also??
    #14
    moby
    Silver Member
    • Total Posts : 65
    • Scores: 2
    • Reward points: 0
    • Joined: 2004/08/20 15:07:52
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/01/25 01:15:35 (permalink)
    0
    Hi James,
     
    Thanks for the feedback. I do get what you are saying, but it seems a bit of a complicated way of doing it. With LDAP I can just add a secondary server into the LDAP config as below:
     
    edit LDAP_Server
    set server 1.1.1.1
    set secondary-server 1.1.1.2
     
    So I am wondering if there is any similar method for "config user domain controller" or if you can add to domain controllers then which would be used and would the second be used if the first does not respond.
     
    Thanks, Moby.
     
     
    #15
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Explicit Proxy and NTLM 2019/01/25 08:52:18 (permalink)
    0
    Moby thanks for the details.
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #16
    kaleun
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/20 07:01:24
    • Status: offline
    Re: Explicit Proxy and NTLM 2019/08/20 07:20:58 (permalink)
    0
    Hello Moby,
    we also have problems to setup explicit proxy with ntlm and get the error message "access denied the page you requested has been blocked by a firewall policy restriction". Can you describe how you fix the problem in your case ?
     
    Thanks, Kaleun.
    #17
    Jump to:
    © 2019 APG vNext Commercial Version 5.5