Applies where all of the following applies:
- All Barracuda Web Filter appliances.
- All versions of Web Filter firmware.
- Devices installed in a forward proxy configuration with NTLM or Kerberos authentication.
Using Kerberos or NTLM authentication schemes allows multiple users from the same IP address to be identified for logging and policy application. However, using this scheme typically requires some advanced configuration, particularly for applications that do not explicitly support NTLM/Kerberos authentication. If you notice a particular application is not working with an upstream Barracuda Web Filter, the source of the problem may involve proxy authentication incompatibility. Typical symptoms include authentication prompts, cache access denied messages, and 407 errors. Applications without NTLM/Kerberos support will not pass on a user?s authentication to the Barracuda Web Filter, and in turn their web traffic will be rejected without a block page.
The simplest resolution to this situation is to disable proxying for applications that are experiencing errors when forwarding to the Barracuda Web Filter. This may not always be an option, particularly with applications that do not offer the option to disable proxying. These applications will collect this information automatically from Internet Options. In this case, the only option to resolve this issue is to configure the Barracuda Web Filter to exempt that applications traffic from proxy authentication requirements, then whitelist any domains it accesses for unauthenticated users.
Follow these steps to determine the traffic the application is sending, then exempt that traffic:
- First, install Wireshark (http://www.wireshark.org/download.html).
- Open Wireshark, click the Capture menu, then select Interfaces.
- Select the appropriate network interface for your web traffic, then click Start.
- Run the application that is causing the issue, and reproduce the issue.
- Click the Capture menu again, and select Stop.
- Within Wireshark, find the Filter field, and enter the following string: http.response.code == 407
- If the issue is with proxy authentication, you will see entries here indicating 407 Proxy Authentication Required responses from the Barracuda Web Filter.
- Right click the Wireshark entry showing the 407 error, then select "Follow TCP Stream".
- At the top of the new window, find the GET or CONNECT request associated with the 407 error. For example, it may show "GET http://download.cdn.mozilla.net/pub/mozilla.mar".
- Log into the Barracuda Web Filter and navigate to Advanced > Proxy.
- Scroll down to Proxy Authentication Exemptions, and enter the domain from the GET or CONNECT request to the Regular Expression field. Note that this field requires the domain to be added in regular expression format. More information on regular expression format can be found in Solution 00006365. Using the example from step 9, the entry would be ^http://([^:/]*\.)?download\.cdn\.mozilla\.net/.*$
- In the Barracuda Web Filter, navigate to Block/Accept > Domains. Select the Unauthenticated policy from the top right, and add download.cdn.mozilla.net to the Whitelist.
- The application will most likely attempt to access multiple domains or IPs. Repeat steps 2 through 12 until no further 407 responses are captured by Wireshark.
If the issue persists, please contact Barracuda Support or the technical support resources offered by your application vendor.
Sometimes, an application vendor may be aware of the issue, and publish a list of domains or IPs to exempt from proxy authentication. Please check with your software vendor for this list, then apply these domains to Proxy Authentication Exemptions under Advanced>Proxy as outlined above.
For assistance with specifically exempting iTunes from proxy authentication, please see Solution #00006223.
For assistance with specifically exempting Office 2013 from proxy authentication, please see Solution #00006395.
Link to This Page: