- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
When using authentication with http-proxy it requires specific data within the http-header due to challenge-response method used. Depending on the client-behavior on some Websites one may have problems with the MSCHAP Auth (i.e. on Microsoft Update Page http://www.update.microsoft.com) resulting in unsuccessful downloads ending with "TCP_DENIED/407".
Each helper process generates its own challenge token. By default, the tokens are never reused. This means that for each object a new challenge-response for the client has to be generated. This may lead to problems for example when updating a windows client; this is a parallel process rather than a sequential one. When many challenge-responses are arriving at the client side and parallel downloads are performed, some packets lack the proxy_auth header. If this header is not present authentication fails.
To solve this issue reusage of each challenge token and validity for a certain amount of time can be set. This generates less challenge-responses to the client leading to a better behaviour according to insertion of proxy_auth headers.
auth_param ntlm max_challenge_reuses 200
auth_param ntlm max_challenge_lifetime 10 minutes
The values "200" means that the authentication tokens are reused 200 times.
The value "10" means that the authentication tokens is valid for 10 minutes.
Furthermore a windows update generates HEAD requests which are denied by default. In order to successfully complete the update procedure over a http-proxy one has to configure the following ACL entry via NG Admin:
In the "Config" > "Box" > "Virtual Servers" > "<Servername>" > "Assigned Services" > "<Servicename>" > "HTTP Proxy Settings" > "Access Control" create an ACL entry like this:
- Requestmethod Config 'HEAD' (mind the case sensitivity)
- set the ACL to 'allow'
It is not recommended to set the parameters above if not needed for the described matters; such settings cause a longer validity of authentication.