Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Web Gateway NTLM authentication support

Created: 06 Aug 2012 | 11 comments
Muhammad Ishaq Khan's picture

Hi there:

During Symantec Web Gateway configuration I enable http/https, ftp proxy, socks proxy and SSL intersection.

Most of my client’s machines are window 7 (as per different articles window 7 by default support NTLMv2). Kindly guide me that I need to change Window LAN security setting for NTLMv1 support?

Note: As it is not recommended because NTLMv1 is not secure protocol for authentication.

Best regards

Ishaq

Discussion Filed Under:

Comments 11 CommentsJump to latest comment

fferaboli's picture

Hi Ishaq,

Are you running Proxy + Inline or just Proxy mode?

Federico

Muhammad Ishaq Khan's picture

Dear Federico,

We are running proxy mode with http/https, SSL and FTP proxy.

I check my client machine and found that there is LAN security setting is define "not define" while on DC this setting is set  as "NTLMv2 Response only\refuse LM. Is it ok for SSL intersepection or we need to change it.

Best regards

Ishaq

Best Regards,                                     &nbsp

fferaboli's picture

Hi Ishaq,

Could you please try this and let me know the outcome?

To configure NTLM compatibility for Windows Vista and Windows 7

  1. Click Start > All Programs > Accessories > Run and type secpol.msc in the open box, and then click OK.
  2. Click Local Policies > Security Options > Network Security: LAN Manager authentication level.
  3. Click SendLM& NTLM - use NTLMv2 session security if negotiated.
  4. Click Apply.

Thanks!

Federico

Muhammad Ishaq Khan's picture

Dear Federico,

reference to SWG implementation guide page 81 'You can configure each individual computer on the

corporate network to send HTTPS traffic to Symantec Web Gateway HTTP/S proxy or to the SSL Deep Inspection proxy.'
 
kindly guide me how to configure a single client that use https proxy and SSL Deep Inspection proxy?
 
currently I configure http/https port configuration in internet explorer
 
Best regards
Ishaq

Best Regards,                                     &nbsp

Muhammad Ishaq Khan's picture

Dear Federico,

My requirement is that my client use both https and SSL deep inspection proxy.

Kindly reply back as soon as possible because it is urgent :)

Best regards

Ishaq

Best Regards,                                     &nbsp

fferaboli's picture

Hi,

So, this is a different topic. The steps to configure that are detailed into the SWG Implementation Guide 5.0, page 83 under Configuring the Symantec Web Gateway proxy for SSL Deep Inspection.

The steps you need to complete are:

  • Configure the proxy for SSL deep inspection on SWG
  • Configuring policies for SSL Deep Inspection on SWG
  • Configure browsers to use SSL Deep Inspection port for HTTPS and import the SWG certificate or your own certificate.

Please check the SWG Implementation Guide and make sure you verify these settings via Custom Reports.

HTH,

Federico

Muhammad Ishaq Khan's picture

Dear Federico,

Do you have any idea that how we configure SSL proxy at end users ????
 

secondaly if we only configure http/https proxy port in user browser that can swg monitor https traffic or not????

Best regards

Ishaq

Best Regards,                                     &nbsp

fferaboli's picture

Hi Ishaq,

my previous comments include that. Client machines must use the SSL deep inspection port on the browser (default 8443) and, the certificate that SWG will use to do that must be imported into the client machines to be trusted. 

If your concern is regarding the visibility of HTTPS traffic, if you only use the HTTP/S proxy instead, (i.e TCP ports 8080-8083) you will be able to monitor that traffic. Please check the documentation for the features that rely on SSL deep inspection.

Federico

Muhammad Ishaq Khan's picture

Dear Federico,

Thanks for your time and support! I still have some confussion:

- how I enable http/s & SSL proxy on endpoint.

- for SLP integration is I need SSL or not (if not then can my SLP solution can monitor HTTPS traffic or not).

Best regards

Ishaq

Best Regards,                                     &nbsp

fferaboli's picture

Hi Ishaq,

on the client machines, just configure the browsers:

  • if you are going to use Deep Inspection then configure your browsers to use the HTTP/S proxy for HTTP and the Deep Inspection port for HTTPS. Also import the SWG certificate as detailed in the documentation.
  • if you are not going to use Deep Inspection, just use the same HTTP/S proxy port for HTTP and HTTPS.

Check 

Symantec Web Gateway (SWG) - Best Practices: Proxy Mode

http://www.symantec.com/docs/TECH192087

Regards,

Federico

Muhammad Ishaq Khan's picture

Hi everybody,

How to define SSL proxy in PAC for Symantec Web Gateway

Regards

Ishaq

Best Regards,                                     &nbsp