We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

MSCHAPv2 authentication issue with http-proxy (challenge response on update.microsoft.com)

  • Type: Knowledgebase
  • Date changed: 7 months ago
Solution #00005247 
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x


When using authentication with http-proxy it requires specific data within the http-header due to challenge-response method used. Depending on the client-behavior on some Websites one may have problems with the MSCHAP Auth (i.e. on Microsoft Update Page http://www.update.microsoft.com) resulting in unsuccessful downloads ending with "TCP_DENIED/407".



Each helper process generates its own challenge token. By default, the tokens are never reused. This means that for each object a new challenge-response for the client has to be generated. This may lead to problems for example when updating a windows client; this is a parallel process rather than a sequential one. When many challenge-responses are arriving at the client side and parallel downloads are performed, some packets lack the proxy_auth header. If this header is not present authentication fails.



To solve this issue reusage of each challenge token and validity for a certain amount of time can be set. This generates less challenge-responses to the client leading to a better behaviour according to insertion of proxy_auth headers.

  auth_param ntlm max_challenge_reuses 200
  auth_param ntlm max_challenge_lifetime 10 minutes


The values "200" means that the authentication tokens are reused 200 times.
The value "10" means that the authentication tokens is valid for 10 minutes.


Furthermore a windows update generates HEAD requests which are denied by default. In order to successfully complete the update procedure over a http-proxy one has to configure the following ACL entry via NG Admin:


In the "Config" > "Box" > "Virtual Servers" > "<Servername>" > "Assigned Services" > "<Servicename>" > "HTTP Proxy Settings" > "Access Control" create an ACL entry like this:

    - Requestmethod Config 'HEAD' (mind the case sensitivity)
    - set the ACL to 'allow'


It is not recommended to set the parameters above if not needed for the described matters; such settings cause a longer validity of authentication.



Link to This Page: