All Barracuda Web Filters deployed as a forward proxy, firmware versions 3.3 and above.
If your network uses an NTLM (NT Lan Manager) authentication server, your NTLM domain users can use the NTLM authentication service to authenticate with the Barracuda Web Filter. To enable transparent proxy authentication using your NTLM server, you must join the Barracuda Web Filter to the NTLM realm as an authorized host. However, there are several requirements that must be met to use NTLM authentication:
- Forward proxy deployment.
In order to support NTLM domain users, the Barracuda Web Filter must be deployed as a forward proxy. This also entails proper IP configuration; on the Basic > IP Configuration page, the Operating Mode must be set to Active and the Pass Client IP addresses through WAN port field must be set to No.
- No other Proxy authentication services configured (Kerberos).
If you configure the Barracuda Web Filter to use the NTLM authentication service, the Barracuda Web Filter can only recognize NTLM domain users and any local users you configure explicitly. No additional Proxy authentication services can be configured with the Barracuda Web Filter.
- The DC agents are not required for NTLM use alone, while they are needed for use with LDAP/AD and single sign on features.
- Forced proxy authentication.
In order for NTLM domain users to authenticate with the Barracuda Web Filter, you must enable this option on the Users/Groups > Configuration page.
- In order for an NTLM domain user to authenticate with the Barracuda Web Filter, the client machine?s web browser must be configured to use port 8080 of the Barracuda Web Filter as an HTTP proxy.
- NOTE: As of 7.x it is port 3128 Not 8080
- Once all of these conditions have been met, configuring NTLM authentication should be relatively simple. Just follow these steps:
- Click the NTLM tab on the Users/Groups > Authentication Services page.
- Enter information about your NTLM server:
- NTLM Domain Name - The name of the Windows domain (this should be available on your NTLM domain controller).
- NTLM Server IP - The IP address of the NTLM authentication server.
- NTLM Server Hostname - The hostname of your NTLM domain controller.
- Enter information about the NTLM domain user account that will be used to add the Barracuda Web Filter to the Windows domain:
- NTLM Username - The name of any NTLM account with administrative privileges.
- NTLM Password - The password for this NTLM account.
- Click the Join Domain button to add the Barracuda Web Filter to the Windows domain as a proxy server.
- Wait for the Configuration updated message.
- Click the Add button to add the NTLM server to the Barracuda Web Filter list of authentication servers. The NTLM server is added to the list in the Existing Authentication Services section, identified by the NTLM domain name.
Note: The Add button will be disabled until this NTLM server is deleted.
Be aware, some options on the Barracuda Web Filter will be restricted when using NTLM authentication. These restrictions apply:
- No login override of blocked pages.
Unlike local users or LDAP domain users, NTLM domain users cannot override a blocked page by logging in to provide credentials. That is, when a policy on the Barracuda Web Filter blocks Internet access for an NTLM user, the user will not be offered login fields at the bottom of the block message (even if you have enabled the Allow login override of blocked pages option in the Block/Accept > Configuration page). This also means that the Warn action is effectively the same as the Block action; users will not be able to proceed beyond the Warn page (though the Warn blocks will still be displayed separately on the Block/Accept > Warned Activity page).
- No logout option.
Unlike local users or LDAP domain users, NTLM domain users cannot log out when proceeding to a blocked page in order to surf anonymously. That is, when a policy on the Barracuda Web Filter blocks Internet access for an NTLM user, the user will not be offered a logout option at the bottom of the block message (even if you have enabled the Offer Logout option on the Block/Accept > Configuration page).
- NTLM domain users not listed.
Unlike local users or LDAP domain users, NTLM domain users are not listed on the Users/Groups > Account View page. However, the traffic for NTLM domain users can still be found on the Basic > Log, Basic > Applications Log, and Basic > Reports pages.
- NTLM realm not listed in syslog output.
Unlike local users or LDAP domain users, NTLM domain users are listed in the syslog output without a realm identifier.
Can use DC agent + NTLM + LDAP at same time on modern firmware
Link to This Page: