Manual Chapter : NTLM Authentication for SWG Forward Proxy

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

NTLM Authentication for SWG Forward Proxy

Overview: Authenticating SWG users with NTLM

You can include authentication in the access policy in a Secure Web Gateway (SWG) explicit or transparent forward proxy configuration. However, if the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5® recommends using Kerberos or NTLM authentication.

To use NTLM authentication, you must specify an NTLM Auth Configuration when you configure the access profile for SWG explicit or SWG transparent forward proxy. If an NTLM Auth Configuration does not yet exist on the BIG-IP® system, use these steps to configure it.

Task summary

Configuring a machine account

You configure a machine account so that Access Policy Manager® (APM®) can establish a secure channel to a domain controller.
  1. On the Main tab, click Access Policy > Access Profiles > NTLM > Machine Account .
    A new Machine Account screen opens.
  2. In the Configuration area, in the Machine Account Name field, type a name.
  3. In the Domain FQDN field, type the fully qualified domain name (FQDN) for the domain that you want the machine account to join.
  4. Optional: In the Domain Controller FQDN field, type the FQDN for a domain controller.
  5. In the Admin User field, type the name of a user who has administrator privilege.
  6. In the Admin Password field, type the password for the admin user.
    APM uses these credentials to create the machine account on the domain controller. However, APM does not store the credentials and you do not need them to update an existing machine account configuration later.
  7. Click Join.
This creates a machine account and joins it to the specified domain. This also creates a non-editable NetBIOS Domain Name field that is automatically populated.
Note: If the NetBIOS Domain Name field on the machine account is empty, delete the configuration and recreate it. The field populates.

Creating an NTLM Auth configuration

Create an NTLM Auth configuration to specify the domain controllers that a machine account can use to log in.
  1. On the Main tab, click Access Policy > Access Profiles > NTLM > NTLM Auth Configuration .
    A new NTLM Auth Configuration screen opens.
  2. In the Name field, type a name.
  3. From the Machine Account Name list, select the machine account configuration to which this NTLM Auth configuration applies.
    You can assign the same machine account to multiple NTLM authentication configurations.
  4. For each domain controller, type a fully qualified domain name (FQDN) and click Add.
    Note: You should add only domain controllers that belong to one domain.
    By specifying more than one domain controller, you enable high availability. If the first domain controller on the list is not available, Access Policy Manager® tries the next domain controller on the list, successively.
  5. Click Finished.
This specifies the domain controllers that a machine account can use to log in.

Maintaining a machine account

In some networks, administrators run scripts to find and delete outdated machine accounts on the domain controllers. To keep the machine account up-to-date, you can renew the password periodically.
  1. On the Main tab, click Access Policy > Access Profiles > NTLM > Machine Account .
    The Machine Account screen opens.
  2. Click the name of a machine account.
    The properties screen opens and displays the date and time of the last update to the machine account password.
  3. Click the Renew Machine Password button.
    The screen refreshes and displays the updated date and time.
This changes the machine account last modified time.