Solutions

Setting up IWA authentication on the ProxySG

Solutions ID:    KB3117
Version:    3.0
Status:    Published
Published date:    07/21/2009
Updated:    09/21/2009
 

Problem Description

Setting up IWA authentication on the ProxySG?
How do I setup IWA or NTLM authentication on the ProxySG?
 

Resolution

Prerequisites:

  1. Make sure the version of the Blue Coat Authentication and Authorization Agent (BCAAA) is the correct version for your version of SGOS.  If in doubt, go to https://bto.bluecoat.com/download/ and select the version of SGOS you are running on your ProxySG.  Drill down to your version of SGOS and download the version of BCAAA listed for your version of SGOS.
  2. BCAAA must be installed on a Windows domain controller, or a member server that is a part of a domain, or a workstation that is a part of a domain.  If BCAAA is not installed on a domain controller, the member server or workstation must be able to find resources, such as domain controllers, on the network.  BCAAA will not work properly for IWA authentication if it is not installed into a domain environment.  Please see the BCAAA release notes for full details.
  3. Transparent vs. Explicit proxy deployment:  Make sure you know how the proxy will be deployed.  See GL8 or GL7 to understand what explicit and transparent mean.  The deployment is important to know so that when you are selecting authentication modes you select the proper one.


The installation will consist of three main parts.  They are as follows:

  1. Installing the BCAAA agent onto the Windows server.
  2. Configuring an IWA authentication realm.
  3. Setting up policy to take advantage of authentication.


Step 1 - Installing BCAAA on a Windows server:

  1. Check the BCAAA agent and make sure it is the correct version of BCAAA.  Please see https://bto.bluecoat.com/download/ to verify the correct BCAAA version for your version of SGOS. Remember that if you update SGOS on your ProxySG, you need to also update BCAAA.
  2. Install BCAAA onto a domain controller (PDC or BDC) or member server.
  3. When installing BCAAA, it will ask for a port number.  Port 16101 is the default port.  Make sure firewalls, intrusion detection devices (IDS), and other similar security devices allow this traffic to pass freely on the network.  If a port other than 16101 is used, make sure that other port number is not being used by a different application on the network.  Additionally, that other port needs to be allowed to pass any firewalls, IDSes and the like. 
  4. Set the number of listening threads for a connection.  99 is the maximum number of threads that can be allocated to listen to the port.  The default and recommended number is two.
  5. Certificate information/SSL.  To help simplify the installation, install without certificates or SSL.  That way if there are problems, you are not trying to troubleshoot if this is an SSL/certificate issue, or is this a BCAAA issue.  Later on if you decide to enable SSL communications between the ProxySG and BCAAA and there are problems, then you can work on fixing the SSL/certificate issues.
  6. Accept the configuration and complete the install.


Troubleshooting steps:

  • Make sure the BCAAA version is correct for the version of SGOS you are running.
  • Make sure the BCAAA service is running. 
  • Check if a firewall is running.  If so, disable the firewall, or allow traffic to and from TCP port 16101.
  • Check port configuration
  • Check certificates

 

Step 2 - Proxy configuration steps:

  1. Go to the Management Console (https://<proxy.ip.address>:8082/) on the ProxySG.  Select the Configuration tab > Authentication > IWA.  Make sure you are on the "IWA Realms" tab.  Click on the "New" button to add an IWA realm.
  2. Create the new IWA realm with the following parameters:
    1. Realm name:  Some_name_significant_for_your_organization
    2. Primary server host:  This is the IP address or hostname of the server running the BCAAA agent.  The ProxySG must be able to resolve the hostname, if used.
    3. Port:  16101  (Port 16101 is the default port.  This port number needs to be the same that was configured in Step 1.3 When installing BCAAA, it will ask for a port number  above.  Make sure all firewalls and so forth allow this traffic through from the ProxySG to the BCAAA agent server(s).)
    4. Click on the OK button to save your changes.  Next, click on the "Apply" button.
  3. Select the IWA Servers tab.  Look and make sure everything is correct.  If you wish to add an additional IWA server, you can add it here.  Make sure to click on the "Apply" button so the changes are committed to the ProxySG.  NOTE:  For simplicity sake, avoid using SSL between the ProxySG and the BCAAA server.  Once IWA is working correctly, then you can come back and enable the SSL option if you desire.
  4. Select the IWA General tab.  Verify that the settings are correct.

 

Step 3 - Policy configuration steps:

In order for authentication to be enforced, policy needs to be created that makes the end users authenticate.  The following steps put policy in place which will cause the ProxySG to authenticate connections going through it.  VERY IMPORTANT NOTE:  Not all applications (custom applications, music download clients, and so forth) know how to handle authentication requests made by the proxy.  Some devices and operating systems may also fall into that category.  Workstations that are not a part of the Windows domain may prompt the user for authentication.  (This may happen when non-domain workstations are connected to your network and they try to get out to the Internet.)  When these cases arise, it may be necessary to either bypass authentication for those applications, operating systems, and devices, or use some sort of substitute authentication policy.  Please see Blue Coat's Enhanced Authentication Use Cases Tech Brief found at https://bto.bluecoat.com/support/technicalbriefs/SGOS%205 .  You may need a BlueTouch Online username and password in order to obtain the above mentioned Tech Brief.

  1. Launch the Management Console by going to https://<ip.address.of.proxysg>:8082/  and login.
  2. Click on the Configuration tab > Policy > Visual Policy Manager > Launch .
  3. Click on Policy > Add Web Authentication Layer... > (Give the layer a meaningful name) and click the OK button.
  4. In the "Action" column, right click and select Set > New > Autheticate.
    1. Name:  Give it a meaningful name.
    2. Realm:  Use the IWA realm name that was created earlier.
    3. For "Mode", you can select "Auto".  Please see KB article KB2877 for additional details regard authentication modes.
    4. Click on the OK button twice.
    5. NOTE:  If your Proxy is already in production and you are adding IWA authentication, you may want to test the new authentication policy by defining the "Source" column with the IP address of a test workstation or a test subnet.  That way if there are authentication problems, they are only limited to your test workstations and not your entire network.  Once you have tested authentication and you feel confident, then you can remove that restriction.  As previously mentioned, there may be some applications that are not authentication friendly.  You can create policy that allows those applications to not authenticate, while all the other requests are allowed to authenticate.  Please see KB3294 for some examples on how to bypass ProxySG authentication.
  5. With the web authentication layer installed, you will need to create a rule that allows authenticated users out.  So create a new rule in your web access layer.
  6. Right click in the Source column and select Set.  Then select Authenticated User in the list and then click on the OK button.  NOTE:  If you are testing a particular IP address, you may need to create a combined source object where it will match with an authenticated user AND IP address.
  7. NOTE:  If your default policy is allow, you will want to block all your objectional material before the rule that allows authenticated users out to the Internet.  You will also need to put any rules in place for applications, workstations, that can be allowed out without authentication before the authentication rule.
  8. Optional browse test:  If you want to test your connection to the BCAAA server, in the web access layer in the source column, right click and select Set > New > and select either User or Group.  For the "Authentication Realm", select your IWA realm.  Then click on the "Browse" button.  If everything is functioning as expected, then you should see your Active Directory tree.  If everything works as expected, just cancel out all the changes made.  If you were unable to browse the directory tree, then you need to troubleshoot why that does not function.
  9. Once everything looks good, click on the "Install Policy" button.
  10. Test.  Make sure you applications and web browsers work as expected.


NOTES:

  • If the workstation and user are in the same domain as the BCAAA agent, the user should not be prompted for authentication.  There are some exceptions, but generally, this is the rule.
  • If the workstation and the user are in a different domain than the BCAAA agent, then the user will get prompted for a username and password each time the web browser is opened.
  • For assistance setting up IWA authentication in a transparent deployment while intercepting SSL, please see KB2921

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question