Applicable Version: 10.02.0 Build 206 onwards
Overview
NTLM (NT LAN Manager), also known as Windows Challenge/Response, is a suite of security protocols that offers authentication, integrity and confidentiality to users. It is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
NTLM uses an encrypted challenge/response mechanism in which clients are able to get authenticated without sending a password over the wire. Here, credentials consist of a domain name, a user name, and a one-way hash of the user's password obtained via an Interactive Authentication Process. The system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.
Scenario
Configure Cyberoam to allow authentication of users and user groups using NTLM.
Configuration
NTLM is configured in Cyberoam by following the steps given below. All configurations are to be done from Web Admin Console using “Administrator” profile.
Note:
NTLM is a browser-initiated authentication method. Hence, in Cyberoam, it is at lower priority than other authentication methods like:
- Corporate Client
- Clientless Single Sign-On
- Client-based Single Sign-On
NTLM is used as a failback if any of the above authentication methods fail. If NTLM also fails, then the Captive Portal is displayed using which user can authenticate.
Step 1: Integrate Cyberoam with Active Directory
It is required to integrate Cyberoam with Active Directory (AD) to facilitate authentication of users and user groups. For details on how to integrate Cyberoam with Active Directory, refer to "Integrate with Active Directory" in the Related Articles section at the end of this article.
Step 2: Enable NTLM
Go to System à Administration à Appliance Access. Under Authentication Services, enable access of NTLM for the required zones. Here, we have enabled NTLM for LAN zone.
Step 3: Configure Firewall Rules
Configure the LAN_WAN_AnyTraffic Rule (Default Rule 1), as shown below, to impose strict authentication.
Note:
The above rule will not apply if the user’s first request is an HTTPS request. In such cases, edit the below mentioned parameters of LAN_WAN_AnyTraffic Rule as shown.
|
Parameter
|
Value
|
|
Name
|
LAN_WAN_AnyTraffic
|
|
Zone
|
Source: Any
Destination: Any
|
|
Attach Identity
|
Disabled
|
|
Network/Host
|
Source: Any
Destination: Any
|
|
Services
|
Any
|
|
Schedule
|
All the time
|
|
Action
|
Accept
|
|
Apply NAT
|
|
|
Web Filter
|
Deny All
|
Step 4: Configure Web Browser to support NTLM
Configure your web browser to allow NTLM Authentication. For details on how to configure your web browser, refer to "Configure NTLM Support in Web Browsers" in the Related Articles section at the end of this article.
Document Version: 1.0 – 19/03/2012
