Applies To:

Show Versions Show Versions

Manual Chapter: NTLM Authentication for SWG Forward Proxy
Manual Chapter
Table of Contents   |   << Previous Chapter

NTLM Authentication for SWG Forward Proxy

Overview: Authenticating SWG users with NTLM

You can include authentication in the access policy in a Secure Web Gateway (SWG) explicit or transparent forward proxy configuration. When you do so if the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5® recommends using Kerberos or NTLM authentication.

To use NTLM authentication, you will need to select an NTLM Auth configuration when you configure the access profile for SWG. Before you start your SWG configuration, if you plan to use NTLM authentication, make sure that the required NTLM authentication objects exist. NTLM authentication requires that a machine account and an NTLM Auth configuration exist on the BIG-IP® system.

Task summary

Configuring a machine account

You configure a machine account so that Access Policy Manager® (APM®) can establish a secure channel to a domain controller.
  1. On the Main tab, click Access Policy > Access Profiles > NTLM > Machine Account .
    A new Machine Account screen opens.
  2. In the Configuration area, in the Machine Account Name field, type a name.
  3. In the Domain FQDN field, type the fully qualified domain name (FQDN) for the domain that you want the machine account to join.
  4. Optional: In the Domain Controller FQDN field, type the FQDN for a domain controller.
  5. In the Admin User field, type the name of a user who has administrator privilege.
  6. In the Admin Password field, type the password for the admin user.
    APM uses these credentials to create the machine account on the domain controller. However, APM does not store the credentials and you do not need them to update an existing machine account configuration later.
  7. Click Join.
This creates a machine account and joins it to the specified domain. This also creates a non-editable NetBIOS Domain Name field that is automatically populated.
Note: If the NetBIOS Domain Name field on the machine account is empty, delete the configuration and recreate it. The field populates.

Creating an NTLM Auth configuration

Create an NTLM Auth configuration to specify the domain controllers that a machine account can use to log in.
  1. On the Main tab, click Access Policy > Access Profiles > NTLM > NTLM Auth Configuration .
    A new NTLM Auth Configuration screen opens.
  2. In the Name field, type a name.
  3. From the Machine Account Name list, select the machine account configuration to which this NTLM Auth configuration applies.
    You can assign the same machine account to multiple NTLM authentication configurations.
  4. For each domain controller, type a fully qualified domain name (FQDN) and click Add.
    Note: You should add only domain controllers that belong to one domain.
    By specifying more than one domain controller, you enable high availability. If the first domain controller on the list is not available, Access Policy Manager® tries the next domain controller on the list, successively.
  5. Click Finished.
This specifies the domain controllers that a machine account can use to log in.

Maintaining a machine account

In some networks, administrators run scripts to find and delete outdated machine accounts on the domain controllers. To keep the machine account up-to-date, you can renew the password periodically.
  1. On the Main tab, click Access Policy > Access Profiles > NTLM > Machine Account .
    The Machine Account screen opens.
  2. Click the name of a machine account.
    The properties screen opens and displays the date and time of the last update to the machine account password.
  3. Click the Renew Machine Password button.
    The screen refreshes and displays the updated date and time.
This changes the machine account last modified time.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)