Set up the NTLM Agent and SWG for Proxy Authentication
Environment
Skyhigh Web Gateway (SWG) 10.2.x, 9.2.x, 8.2.x
Overview
You have configured SWG to authenticate to a domain controller. But, the connection between SWG and the domain controller is either limited by a firewall or you've disabled the legacy SMBv1 protocol. To resolve this issue, you can configure SWG to communicate with an authentication broker, the NTLM Agent. SWG can then replay authentication messages to the agent, which then performs a system call and lets Windows validate credentials. Windows then performs the operations that it's configured to do, and avoids or removes any compatibility issues.
The connection to this agent requires only a single free definable port to be opened, but the agent must be installed on a member server of the domain.
NOTE: You must have a user account set up before the logon. Contact the Skyhigh Security Support if you need any help.
Install the NTLM Agent
- Download the NTLM Agent installation files from the Content and Cloud Security Portal.
- Double-click the installer file and follow the on-screen installation instructions.
When the installation completes, the NTLM Agent is installed and configured to run as a service on the server. - You see a McAfee icon displayed for the agent in the notification area, next to the clock. Right-click the icon.
You see the menu containing the basic options for using the NTLM Agent. - From the menu, install the service and then start the service.
- Click the Configure option to open the NTLM Agent configuration window and configure the settings for the NTLM Agent.
NOTE: The configuration window consists of two parts. The left side allows you to configure the agent settings. The right side displays the status of the NTLM Agent and other information. For more information about this pop-up window, see the "Related Information" field.
Configure the NTLM Agent
- Configure the Network Settings as needed:
The Network Settings section of the configuration window is used to specify the settings needed for enabling the NTLM Agent to operate within a network.
- Listener Port: Use this field to enter the number of the port on the domain controller that's listening for requests from SWG. Make sure that the value that you enter here corresponds to the one that's specified for the setup of SWG.The default port number used by SWG is 9531.
- Use SSL: Select this field if requests are to use SSL encryption. Make sure that this setting is the same as the setting already configured in SWG.
- Max Connections: Use this field to enter the maximum number of connections that can be set up for communication between the NTLM Agent and the clients. You can restrict the number of parallel connections that the NTLM Agent allows to fight potential attacks.
NOTE: Usually, each instance of SWG opens one connection. But, while changing the SWG settings or if the agent is used multiple times in the settings string of SWG, a few more connections are needed. The default value is 5.
- Working Threads per Connection: Use this field to enter the maximum number of working threads used on one open connection. The default value is 5.
- Default Domain: Use this field to enter a default domain. A default domain is entered when the requests sent by the clients to SWG use the basic authentication method.
- Configure the Allowed Clients entry:
The Allowed Clients section of the configuration window is used to specify the clients that are allowed to connect to the NTLM Agent.
- List field: The list field below the Allowed Clients heading displays a list of the allowed clients. You can edit this list using the Input Field and buttons below.
NOTE: If an asterisk (*) is displayed, it means that all clients are allowed. This value is the default.
- Input field: Use this field to enter a client that you want to add to the list of allowed clients:
- Enter the IP address of the client and click Add.
- Enter an asterisk (*) and allow all clients.
- Highlight an entry and click Del to delete a client.
- Click Apply Changes.
- Click Close to close the configuration window.
Configure SWG
Connect SWG to the newly installed NTLM Agent.
- Open the Authentication Settings window:
Click Policy, Settings, Engines, Authentication. - Right-click Authentication and choose Add.
- Under Name enter a new name, for example NTLM Agent.
- Under NTLM-Agent-Specific Parameters, enter the agent specifics:
- See the "NTLM Agent Specific Parameters (SWG)" section of the Skyhigh Web Gateway Interface Reference Guide. It contains a list of specific parameters.
- If the Use SSL option in the NTLM-Agent configuration window is selected, you must enable the Use secure Agent connection.
- In the Agent definition field, enter either the fully qualified domain name or IP addresses of the servers where you earlier installed the NTLM Agent.
- Save your changes.
NOTE: If you don't save your changes, all further authentication tests might fail.
- Apply the changes; click OK.
To test credentials after you connect to the NTLM Agent, view the information returned in an authentication test:
- Select the Policy, Add Settings tab.
- In the left pane under Engines, select Authentication.
- In the right pane, under Authentication Method, select your configured NTLM-Agent engine.
- Expand Authentication Test by selecting either of the down arrows on either side of Authentication Test.
- For User and Password, enter your domain credentials and click Authenticate User.
Under Test Results, you see the message Authentication OK when the connection is established.
Related Information
You can use the right panel of the NTLM Agent window to review the statistics of the agent:
- Status: The Status section of the configuration window is used to display the status of the clients that are connected to the NTLM Agent.
The messages displayed in this field contain status information about the clients. For example, if a connection to a client has been opened or closed, and when the action occurs. To view all messages displayed here, use the scroll bars next to this field. - Statistics: The Statistics section of the configuration window is used to display communication statistics relating to client and NTLM Agent activities.
The following fields are listed here:- Authentications: Displays the number of authentications successfully performed by the NTLM Agent for requests sent by the clients
- Challenges: Displays the number of challenges sent by the NTLM Agent to the clients using SWG
- Denied: Displays the number of client requests denied by the NTLM Agent
- Errors: Displays the number of requests that were made by clients to the NTLM Agent, but which couldn't be processed because of an error
- Connected Clients: Displays the IP addresses of the clients that are currently connected to the NTLM Agent
- NTLM Requests: Displays the number of requests using the NTLM authentication method
- Basic Auth Requests: Displays the number of requests using the basic authentication method