It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

MSCHAPv2 authentication issue with http-proxy (challenge response on

  • Type: Knowledgebase
  • Date changed: 3 years ago
Solution #00005247 
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x


When using authentication with http-proxy it requires specific data within the http-header due to challenge-response method used. Depending on the client-behavior on some Websites one may have problems with the MSCHAP Auth (i.e. on Microsoft Update Page resulting in unsuccessful downloads ending with "TCP_DENIED/407".



Each helper process generates its own challenge token. By default, the tokens are never reused. This means that for each object a new challenge-response for the client has to be generated. This may lead to problems for example when updating a windows client; this is a parallel process rather than a sequential one. When many challenge-responses are arriving at the client side and parallel downloads are performed, some packets lack the proxy_auth header. If this header is not present authentication fails.



To solve this issue reusage of each challenge token and validity for a certain amount of time can be set. This generates less challenge-responses to the client leading to a better behaviour according to insertion of proxy_auth headers.

  auth_param ntlm max_challenge_reuses 200
  auth_param ntlm max_challenge_lifetime 10 minutes


The values "200" means that the authentication tokens are reused 200 times.
The value "10" means that the authentication tokens is valid for 10 minutes.


Furthermore a windows update generates HEAD requests which are denied by default. In order to successfully complete the update procedure over a http-proxy one has to configure the following ACL entry via NG Admin:


In the "Config" > "Box" > "Virtual Servers" > "<Servername>" > "Assigned Services" > "<Servicename>" > "HTTP Proxy Settings" > "Access Control" create an ACL entry like this:

    - Requestmethod Config 'HEAD' (mind the case sensitivity)
    - set the ACL to 'allow'


It is not recommended to set the parameters above if not needed for the described matters; such settings cause a longer validity of authentication.



Link to This Page: