We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How should I configure NTLM authentication on my Barracuda Web Filter?

  • Type: Knowledgebase
  • Date changed: 4 years ago
Solution #00003296

Scope:
All Barracuda Web Filters deployed as a forward proxy, firmware versions 3.3 and above.

Answer:
If your network uses an NTLM (NT Lan Manager) authentication server, your NTLM domain users can use the NTLM authentication service to authenticate with the Barracuda Web Filter. To enable transparent proxy authentication using your NTLM server, you must join the Barracuda Web Filter to the NTLM realm as an authorized host. However, there are several requirements that must be met to use NTLM authentication:
  • Forward proxy deployment.

    In order to support NTLM domain users, the Barracuda Web Filter must be deployed as a forward proxy. This also entails proper IP configuration; on the Basic > IP Configuration page, the Operating Mode must be set to Active and the Pass Client IP addresses through WAN port field must be set to No.

  • No other authentication services configured.

    If you configure the Barracuda Web Filter to use the NTLM authentication service, the Barracuda Web Filter can only recognize NTLM domain users and any local users you configure explicitly. No additional authentication services can be configured with the Barracuda Web Filter. If you need to remove an LDAP or RADIUS integration, go to the Users/Groups > Authentication Services page and, under the Existing Authentication Services heading, click the trash can icon to delete any authentication service that had previously been integrated with the Barracuda Web Filter.

  • The DC agents are not required for NTLM use alone, while they are needed for use with LDAP/AD and single sign on features.

  • Forced proxy authentication.

    In order for NTLM domain users to authenticate with the Barracuda Web Filter, you must enable this option on the Users/Groups > Configuration page.

All web browsers must use the Barracuda Web Filter as an HTTP proxy.

  • In order for an NTLM domain user to authenticate with the Barracuda Web Filter, the client machine’s web browser must be configured to use port 8080 of the Barracuda Web Filter as an HTTP proxy. 
  • NOTE: As of 7.x it is port 3128 Not 8080
  • Once all of these conditions have been met, configuring NTLM authentication should be relatively simple. Just follow these steps: 
  1. Click the NTLM tab on the Users/Groups > Authentication Services page.
  2. Enter information about your NTLM server:

    • NTLM Domain Name - The name of the Windows domain (this should be available on your NTLM domain controller).
    • NTLM Server IP - The IP address of the NTLM authentication server. 
    • NTLM Server Hostname - The hostname of your NTLM domain controller.

  3. Enter information about the NTLM domain user account that will be used to add the Barracuda Web Filter to the Windows domain:
    • NTLM Username - The name of any NTLM account with administrative privileges.
    • NTLM Password - The password for this NTLM account.

  4. Click the Join Domain button to add the Barracuda Web Filter to the Windows domain as a proxy server. 
  5. Wait for the Configuration updated message. 
  6. Click the Add button to add the NTLM server to the Barracuda Web Filter list of authentication servers. The NTLM server is added to the list in the Existing Authentication Services section, identified by the NTLM domain name.
Note: The Add button will be disabled until this NTLM server is deleted.

Be aware, some options on the Barracuda Web Filter will be restricted when using NTLM authentication. These restrictions apply:
  • No login override of blocked pages.

    Unlike local users or LDAP domain users, NTLM domain users cannot override a blocked page by logging in to provide credentials. That is, when a policy on the Barracuda Web Filter blocks Internet access for an NTLM user, the user will not be offered login fields at the bottom of the block message (even if you have enabled the Allow login override of blocked pages option in the Block/Accept > Configuration page). This also means that the Warn action is effectively the same as the Block action; users will not be able to proceed beyond the Warn page (though the Warn blocks will still be displayed separately on the Block/Accept > Warned Activity page).

  • No logout option.

    Unlike local users or LDAP domain users, NTLM domain users cannot log out when proceeding to a blocked page in order to surf anonymously. That is, when a policy on the Barracuda Web Filter blocks Internet access for an NTLM user, the user will not be offered a logout option at the bottom of the block message (even if you have enabled the Offer Logout option on the Block/Accept > Configuration page).

  • NTLM domain users not listed.

    Unlike local users or LDAP domain users, NTLM domain users are not listed on the Users/Groups > Account View page. However, the traffic for NTLM domain users can still be found on the Basic > Log, Basic > Applications Log, and Basic > Reports pages.

  •  NTLM realm not listed in syslog output.

    Unlike local users or LDAP domain users, NTLM domain users are listed in the syslog output without a realm identifier.
Lastly, when creating exceptions on the Block/Accept > Exceptions page, you will find that you are only able to search for specific NTLM users. If you want to create an exception that applies to an entire NTLM group, click the Lookup button, search for a user in that group, and then select that group from the list of groups to which that user belongs.


Can use DC agent + NTLM + LDAP at same time on modern firmware


Link to This Page:
https://campus.barracuda.com/solution/50160000000H9LtAAK