Using NTLM proxy authentication

Websense Content Gateway provides the NTLM (NT LAN Manager) option to ensure that users in a

Windows network are authenticated before they access protected content on the Internet.

When you enable the NTLM option, the proxy challenges users who request content for proof of their

credentials. The proxy then sends the proof of the user’s credentials directly to the Windows domain

controller to be validated. If the credentials are valid, the proxy serves the requested content and stores

the credentials in the NTLM cache for future use. If the credentials are not valid, the proxy sends an

authentication failed message to the user.

Websense Content Gateway supports both transparent (Single Sign-On) and explicit authentication.

Transparent authentication is supported with Microsoft Internet Explorer 7 and 8, and Mozilla Firefox 2

and 3. Single Sign-On allows users to sign on only once, so that they can seamlessly access all authorized

network resources.

Therefore, if a user has already logged on to the Windows network successfully, the credentials specified

during Windows log on are used for authentication and the user is not prompted again for a username

and password. Explicit (basic) authentication is supported for other browsers. With explicit authentication,

users are prompted for a username and password before they can access the protected content.

Websense Content Gateway supports the use of backup domain controllers for failover. If the primary

domain controller does not respond to the proxy request, Websense Content Gateway contacts the next

domain controller in the list (the backup domain controller). For the next request, the proxy tries to

contact the primary domain controller again and then contacts the backup domain controller if the

connection fails.

Websense Content Gateway supports access to Windows NT domain controllers and Windows 2000,

2003, and 2008 Active Directory.

Restrictions:

1. WINS resolution is not supported. Domain controllers must have host names that can be resolved by a DNS server.

2. Extended security is not supported and cannot be enabled on the domain controller. 3. NTLM2 session security is not supported and cannot be enabled on clients. In the Security

Settings area of the Windows operating system, inspect the Network Security: Minimum

session security settings. 4. NTLMv2 is not supported with Active Directory 2008. The required Network Security: LAN

Manager Authentication setting is described in step 5 of Configuring NTLM proxy authentication, below.

5. Not all browsers support transparent NTLM authentication. See Browser limitations, page 110. 6. Credential caching is performed when:

o Authentication is transparent o The requestor (client) is on the same domain as the domain controller, or on a domain that

has a trust relationship with the domain controller o The browser is Internet Explorer 7 or 8*, or Mozilla Firefox 2 or 3

*Credential caching does not work with Internet Explorer 7 or 8 if Microsoft Patch MS09-13 has been applied. For a work around, see the Websense Knowledge Base article “NTLM credentials not cached with

Internet Explorer 7 and 8”. To view the article, log in to MyWebsense, click on the Support tab, select Websense Security Gateway from the Knowledge Base drop down list.

Configuring NTLM proxy authentication

1. Navigate to Configure > My Proxy > Basic > General.

2. In the Features table, click NTLM On in the Authentication section.

3. Click Apply. 4. Navigate to Configure > Security > Access Control > NTLM.

5. In the Domain Controller field, enter the host name of the primary domain controller, followed, optionally, by a comma separated list of backup domain controllers. The format of the host name

must be:

host_name[:port][%netbios_name]

or IP_address[:port][%netbios_name]

If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445.

If you do not use port 445, you must ensure that the Windows Network File Sharing service is

running on the Active Directory server. See your Windows Server 2008 documentation for details.

Note If you are using Active Directory 2008, in the Windows Network Security configuration, LAN Manager Authentication level must be set to Send NTLM response only. See

your Windows Server 2008 documentation for details.

6. Enable Load Balancing if you want the proxy to balance the load when sending authentication

requests to multiple domain controllers.

7. NTLM credential caching is enabled by default. To disable, under Credential caching select Disable.

8. The default time-to-live (TTL) for credential caching is 3600 seconds (60 minutes). To change the TTL value, enter a new value in the Caching TTL field. The range of supported values is 300 to

86400 seconds.

9. If some users use terminal servers to access the Internet through the proxy (e.g., Citrix servers),

you should create a list of those servers in the Multi-user Hostnames field. Credentials for such users are not cached. Enter a comma separated list of host names. Names can include

simple regular expressions to match multiple host names, such as “tserver*” to match all host

names that start with “tserver”.

10. Click Apply.

11. Click Restart on Configure > My Proxy > Basic > General.

To configure Websense Content Gateway to allow certain clients access to specific sites on the Internet

without being authenticated by a domain controller, see Access Control, page 228.

Setting NTLM cache options in records.config On the Content Manager Configure > Security > Access Control > NTLM page you can enable and

disable NTLM credential caching, set the time-to-live (TTL) value, and specify terminal server host names. You can also change these values in records.config, along with a few other NTLM caching parameters.

By default, the NTLM cache is configured to store 15728640 entries and each entry is considered fresh

for 60 minutes (3600 seconds).

1. Open the records.config file located in the Websense Content Gateway config directory (default location is in /opt/WCG/config).

2. Edit the following variables:

Variable Description

proxy.config.ntlm.cache.enabled

Set to 0 to disable the NTLM cache. When disabled,

Websense Content Gateway does not store any credentials in the NTLM cache for future use.

proxy.config.ntlm.cache.ttl_value

Specify the amount of time (in seconds) that

Websense Content Gateway can store entries in the NTLM

cache.

The supported range of values is 300 to 86400 seconds.

proxy.config.ntlm.cache.size Specify the number of entries allowed in the NTLM cache

proxy.config.ntlm.cache.storage_size

Specify the maximum amount of space that the

NTLM cache can occupy on disk. This value should be proportionate to number of entries in the NTLM

cache. For example, if each entry in the NTLM

cache is approximately 128 bytes and the number of entries allowed in the NTLM cache is 5000, the

cache storage size should be at least 64000 bytes.

3. Save and close the file.

4. From the Websense Content Gateway bin directory (default location is in /opt/ WCG/bin), run content_line -L to restart Websense Content Gateway on the local node or content_line -M to

restart Websense Content Gateway on all the nodes in a cluster.