Using NTLM proxy authentication

Websense Content Gateway provides the NTLM (NT LAN Manager) option to ensure that users in a
Windows network are authenticated before they access protected content on the Internet.
When you enable the NTLM option, the proxy challenges users who request content for proof of their
credentials. The proxy then sends the proof of the user’s credentials directly to the Windows domain
controller to be validated. If the credentials are valid, the proxy serves the requested content and stores
the credentials in the NTLM cache for future use. If the credentials are not valid, the proxy sends an
authentication failed message to the user.
Websense Content Gateway supports both transparent (Single Sign-On) and explicit authentication.
Transparent authentication is supported with Microsoft Internet Explorer 7 and 8, and Mozilla Firefox 2
and 3. Single Sign-On allows users to sign on only once, so that they can seamlessly access all authorized
network resources.
Therefore, if a user has already logged on to the Windows network successfully, the credentials specified
during Windows log on are used for authentication and the user is not prompted again for a username
and password. Explicit (basic) authentication is supported for other browsers. With explicit authentication,
users are prompted for a username and password before they can access the protected content.
Websense Content Gateway supports the use of backup domain controllers for failover. If the primary
domain controller does not respond to the proxy request, Websense Content Gateway contacts the next
domain controller in the list (the backup domain controller). For the next request, the proxy tries to
contact the primary domain controller again and then contacts the backup domain controller if the
connection fails.
Websense Content Gateway supports access to Windows NT domain controllers and Windows 2000,
2003, and 2008 Active Directory.

Restrictions:

1. WINS resolution is not supported. Domain controllers must have host names that can be
resolved by a DNS server.
2. Extended security is not supported and cannot be enabled on the domain controller.
3. NTLM2 session security is not supported and cannot be enabled on clients. In the Security
Settings area of the Windows operating system, inspect the Network Security: Minimum
session security settings.
4. NTLMv2 is not supported with Active Directory 2008. The required Network Security: LAN
Manager Authentication setting is described in step 5 of Configuring NTLM proxy
authentication, below.
5. Not all browsers support transparent NTLM authentication. See Browser limitations, page 110.
6. Credential caching is performed when:

o Authentication is transparent
o The requestor (client) is on the same domain as the domain controller, or on a domain that
has a trust relationship with the domain controller
o The browser is Internet Explorer 7 or 8*, or Mozilla Firefox 2 or 3

*Credential caching does not work with Internet Explorer 7 or 8 if Microsoft Patch MS09-13 has been
applied. For a work around, see the Websense Knowledge Base article “NTLM credentials not cached with
Internet Explorer 7 and 8”. To view the article, log in to MyWebsense, click on the Support tab, select
Websense Security Gateway from the Knowledge Base drop down list.
Configuring NTLM proxy authentication

1. Navigate to Configure > My Proxy > Basic > General.

2. In the Features table, click NTLM On in the Authentication section.
3. Click Apply.
4. Navigate to Configure > Security > Access Control > NTLM.
5. In the Domain Controller field, enter the host name of the primary domain controller, followed,
optionally, by a comma separated list of backup domain controllers. The format of the host name
must be:

host_name[:port][%netbios_name]
or
IP_address[:port][%netbios_name]

If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445.
If you do not use port 445, you must ensure that the Windows Network File Sharing service is
running on the Active Directory server. See your Windows Server 2008 documentation for details.

Note

If you are using Active Directory 2008, in the Windows Network Security configuration,
LAN Manager Authentication level must be set to Send NTLM response only. See
your Windows Server 2008 documentation for details.

6. Enable Load Balancing if you want the proxy to balance the load when sending authentication
requests to multiple domain controllers.

7. NTLM credential caching is enabled by default. To disable, under Credential caching select
Disable.
8. The default time-to-live (TTL) for credential caching is 3600 seconds (60 minutes). To change the
TTL value, enter a new value in the Caching TTL field. The range of supported values is 300 to
86400 seconds.

9. If some users use terminal servers to access the Internet through the proxy (e.g., Citrix servers),
you should create a list of those servers in the Multi-user Hostnames field. Credentials for
such users are not cached. Enter a comma separated list of host names. Names can include
simple regular expressions to match multiple host names, such as “tserver*” to match all host
names that start with “tserver”.

10. Click Apply.

11. Click Restart on Configure > My Proxy > Basic > General.

To configure Websense Content Gateway to allow certain clients access to specific sites on the Internet
without being authenticated by a domain controller, see Access Control, page 228.

Setting NTLM cache options in records.config

On the Content Manager Configure > Security > Access Control > NTLM page you can enable and
disable NTLM credential caching, set the time-to-live (TTL) value, and specify terminal server host names.
You can also change these values in records.config, along with a few other NTLM caching parameters.
By default, the NTLM cache is configured to store 15728640 entries and each entry is considered fresh
for 60 minutes (3600 seconds).

1. Open the records.config file located in the Websense Content Gateway config directory
(default location is in /opt/WCG/config).

2. Edit the following variables:

Variable
proxy.config.ntlm.cache.enabled
proxy.config.ntlm.cache.ttl_value
proxy.config.ntlm.cache.size
proxy.config.ntlm.cache.storage_size
Description
Set to 0 to disable the NTLM cache. When disabled,
Websense Content Gateway does not store any
credentials in the NTLM cache for future use.
Specify the amount of time (in seconds) that
Websense
Content Gateway can store entries in the NTLM
cache.
The supported range of values is 300 to 86400
seconds.
Specify the number of entries allowed in the NTLM
cache
Specify the maximum amount of space that the
NTLM cache can occupy on disk. This value should
be proportionate to number of entries in the NTLM
cache. For example, if each entry in the NTLM
cache is approximately 128 bytes and the number
of entries allowed in the NTLM cache is 5000, the
cache storage size should be at least 64000 bytes.

3. Save and close the file.

4. From the Websense Content Gateway bin directory (default location is in /opt/ WCG/bin), run
content_line -L to restart Websense Content Gateway on the local node or content_line -M to
restart Websense Content Gateway on all the nodes in a cluster.