Application Note Configuring Integrated Windows Authentication as a McAfee Firewall Enterprise Authenticator. Firewall Enterprise



Similar documents
VMware Horizon FLEX Administration Guide

GENERAL OPERATING PRINCIPLES

VMware Horizon FLEX Administration Guide

McAfee Network Security Platform

OxCORT v4 Quick Guide Revision Class Reports

ORGANIZER QUICK START GUIDE

Application Note. Configuring McAfee Firewall Enterprise for McAfee Web Protection Service

JCM TRAINING OVERVIEW Multi-Download Module 2

Enterprise Digital Signage Create a New Sign

Architecture and Data Flows Reference Guide

Active Directory Service

the machine and check the components Black Yellow Cyan Magenta

How To Organize A Meeting On Gotomeeting

Student Access to Virtual Desktops from personally owned Windows computers

the machine and check the components Starter Ink Cartridges Basic User s Guide Product Safety Guide Telephone Line Cord

Lesson 1: Getting started

McAfee Gateway 7.x Encryption and IronPort Integration Guide

License Manager Installation and Setup

2. Use of Internet attacks in terrorist activities is termed as a. Internet-attack b. National attack c. Cyberterrorism d.

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

McAfee Host Data Loss Prevention 9.1 Cluster Installation Guide

Start Here. Quick Setup Guide. the machine and check the components DCP-9020CDW

Start Here. Quick Setup Guide. the machine and check the components. NOTE Not all models are available in all countries.

the machine and check the components Starter Ink Cartridges Basic User s Guide Product Safety Guide Telephone Line Cord

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

McAfee Optimized Virtual Environments for Servers. Installation Guide

AntiSpyware Enterprise Module 8.5

Please read the Product Safety Guide first before you set up your machine. Then, read this Quick Setup Guide for the correct setup and installation.

Corrigendum-II Dated:

Application Note Configuring Department of Defense Common Access Card Authentication on McAfee. Firewall Enterprise

McAfee epolicy Orchestrator 4.5 Cluster Installation Guide

Release Notes McAfee Risk Advisor Software For use with epolicy Orchestrator and Software

The art of Paperarchitecture (PA). MANUAL

Release Notes for McAfee VirusScan Enterprise for Storage 1.0

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

the machine and check the components

McAfee Risk Advisor 2.7

Before you can use the machine, read this Quick Setup Guide for the correct setup and installation.

Before you can use the machine, please read this Quick Setup Guide for the correct setup and installation.

Start Here. IMPORTANT: To ensure that the software is installed correctly, do not connect the USB cable until step 17. Remove tape and cardboard

Inter-domain Routing

Unit 12: Installing, Configuring and Administering Microsoft Server

McAfee Host Data Loss Prevention Best Practices: Protecting against data loss from external devices

OUTLINE SYSTEM-ON-CHIP DESIGN. GETTING STARTED WITH VHDL August 31, 2015 GAJSKI S Y-CHART (1983) TOP-DOWN DESIGN (1)

Total Protection Service

McAfee Cloud Identity Manager

MATH PLACEMENT REVIEW GUIDE

Euler Hermes Services Ireland Ltd. Terms & Conditions of Business for your Debt Collection Services

Revised products from the Medicare Learning Network (MLN) ICD-10-CM/PCS Myths and Facts, Fact Sheet, ICN , downloadable.

National Firefighter Ability Tests And the National Firefighter Questionnaire

Angles 2.1. Exercise Find the size of the lettered angles. Give reasons for your answers. a) b) c) Example

Release Notes for McAfee epolicy Orchestrator 4.5

Customer Reporting for SaaS Applications. Domain Basics. Managing my Domain

McAfee Cloud Identity Manager

- DAY 1 - Website Design and Project Planning

McAfee Cloud Identity Manager

New Internet Radio Feature

S-Scrum: a Secure Methodology for Agile Development of Web Services

KEY SKILLS INFORMATION TECHNOLOGY Level 3. Question Paper. 29 January 9 February 2001

McAfee Solidcore Change Reconciliation and Ticket-based Enforcement

Product Guide Revision A. McAfee Secure Web Mail Client Software

Data Security 1. 1 What is the function of the Jump instruction? 2 What are the main parts of the virus code? 3 What is the last act of the virus?

DiaGen: A Generator for Diagram Editors Based on a Hypergraph Model

IaaS Configuration for Virtual Platforms

Product Guide Revision A. McAfee Secure Web Mail Client Software

McAfee UTM Firewall Control Center Product Guide. version 2.0

Maximum area of polygon

European Convention on Social and Medical Assistance

Implementing McAfee Device Control Security

McAfee Agent Handler

McAfee VirusScan Enterprise for Linux Software

Desktop Release Notes. Desktop Release Notes 5.2.1

McAfee Total Protection Service Installation Guide

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

STRM Log Manager Installation Guide

McAfee Firewall Profiler Product Guide. version 1.5

Unit 5 Section 1. Mortgage Payment Methods & Products (20%)

epolicy Orchestrator Log Files

Guidance Document: Selecting a Commercial Records Storage Provider

Recommended Recommended for all environments. Apply this update at the earliest convenience.

TAX RETURN FILING INSTRUCTIONS

Reasoning to Solve Equations and Inequalities

Quick Guide to Lisp Implementation

Transcription:

Applition Note Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor MAfee version 7.x n 8.x Firewll Enterprise Use this Applition Note to implement trnsprent rowser uthentition on MAfee Firewll Enterprise version 7.x n 8.x. By working in onjuntion with Mirosoft Winows Domin Controller, users tht re lrey logge into omin n uthentite to the firewll trnsprently using NTLM. You n lso use this Applition Note to onfigure MAfee SmrtFilter to use NTLM reentils.

COPYRIGHT Copyright 2011 MAfee, In. All Rights Reserve. No prt of this pulition my e reproue, trnsmitte, trnsrie, store in retrievl system, or trnslte into ny lnguge in ny form or y ny mens without the written permission of MAfee, In., or its suppliers or ffilite ompnies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD re registere tremrks or tremrks of MAfee, In. n/or its ffilites in the US n/or other ountries. MAfee Re in onnetion with seurity is istintive of MAfee rn prouts. All other registere n unregistere tremrks herein re the sole property of their respetive owners. 2 Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor

Overview In this oument... Overview on pge 3 Configuring the Winows Domin Controller on pge 4 Configuring the Firewll Enterprise on pge 8 Configuring the users rowsers on pge 10 Appenix on pge 12 Overview Configuring Integrte Winows Authentition (NTLM) s MAfee Firewll Enterprise uthentitor llows users to uthentite HTTP or HTTPS onnetions without entering their reentils. By working in onjuntion with Winows Domin Controller (Winows DC), users who re lrey logge into Winows omin n uthentite to the firewll trnsprently using NTLM. You n lso onfigure MAfee SmrtFilter to pply Ative Diretory group-se poliy y using NTLM reentils otine y the firewll. Refer to Figure 1. This igrm illustrtes: The user is prompte for uthentition when first logging into the Winows omin. The user oes not reeive itionl prompts when onneting to the Internet. Figure 1 Network igrm of Integrte Winows Authentition Winows Domin Controller Internet R Internl users Firewll Enterprise Authentition when user logs into Winows Domin NTLM uthentition for initil HTTP request All susequent uthentite HTTP requests Using Pssport with NTLM MAfee reommens using the Firewll Enterprise Pssport uthentitor in onjuntion with NTLM. While NTLM uthentition llows users to rowse the we without eing prompte for their reentils, there re uthentition exhnges for eh HTTP or HTTPS request. Eh uthentition exhnge onsists of multiple protool messges for the lient, Firewll Enterprise, n Winows DC. These exhnges n result in unneessry lo on the Winows DC, reue performne, n unexpete uthentition prompts for the lient. Use the Firewll Enterprise Pssport uthentitor in onjuntion with NTLM to voi these overhe-relte issues. Sine Pssport hes the first suessful NTLM uthentition exhnge, itionl uthentition exhnges on susequent HTTP or HTTPS requests re not neee. Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor 3

Configuring the Winows Domin Controller Configurtion proess To set up Pssport uthentition with n NTLM uthentitor, perform the following proeures: 1 Configuring the Winows Domin Controller on pge 4 2 Configuring the Firewll Enterprise on pge 8 3 Configuring the users rowsers on pge 10 To onfigure MAfee SmrtFilter to use NTLM reentils, see Configuring MAfee SmrtFilter n NTLM on pge 12. Configuring the Winows Domin Controller To onfigure your Winows DC to llow NTLM requests from Firewll Enterprise, perform the pproprite proeure: Configuring Winows Server 2008 on pge 4 Configuring Winows Server 2003 on pge 6 Configuring Winows Server 2008 To onfigure Winows Server 2008 DC, perform the following proeures: 1 Moifying the Defult Domin Controllers Poliy on pge 4 2 Moifying the Defult Domin Poliy on pge 5 3 Mking your onfigurtion hnges tive on pge 6 Moifying the Defult Domin Controllers Poliy To moify the Defult Domin Controllers Poliy: 1 Selet Strt Aministrtive Tools Group Poliy Mngement. The Group Poliy Mngement winow ppers. 2 In the Console Tree, expn Forest: your_omin Domins your_omin Group Poliy Ojets, then right-lik Defult Domin Controllers Poliy n selet Eit. The Group Poliy Mngement Eitor ppers. 3 In the Group Poliy Mngement Eitor Console Tree, expn Computer Configurtion Poliies Winows Settings Seurity Settings Lol Poliies, then selet Seurity Options. 4 In the list of Poliy items, right-lik Mirosoft network server: Digitlly sign ommunitions (lwys), then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. Selet Disle. Clik OK. The pop-up winow loses. 4 Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor

Configuring the Winows Domin Controller 5 In the list of Poliy items, right-lik Network seurity: LAN Mnger uthentition level, then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. From the rop-own list, selet one of the following options s pproprite for your network: Sen LM & NTLM responses Sen LM & NTLM use NTLMv2 session seurity if negotite Sen NTLM response only Note: Reor your seletion. You will use this setting in Moifying the Defult Domin Poliy. Clik OK. The pop-up winow loses. 6 Close the Group Poliy Mngement Eitor. You return to the Group Poliy Mngement winow. Moifying the Defult Domin Poliy To moify the Defult Domin Poliy: 1 In the Group Poliy Mngement winow Console Tree, expn Forest: your_omin Domins your_omin, then right lik Defult Domin Poliy n selet Eit. The Group Poliy Mngement Eitor ppers. 2 In the Group Poliy Mngement Eitor Console Tree, expn Computer Configurtion Poliies Winows Settings Seurity Settings Lol Poliies, then selet Seurity Options. 3 In the list of Poliy items, right-lik Mirosoft network server: Digitlly sign ommunitions (lwys), then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. Selet Disle. Clik OK. The pop-up winow loses. 4 In the list of Poliy items, right-lik Mirosoft network server: Digitlly sign ommunitions (if lient grees), then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. Selet Disle. Clik OK. The pop-up winow loses. 5 In the list of Poliy items, right-lik Network seurity: LAN Mnger uthentition level, then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. From the rop-own list, selet the option tht you hose in Moifying the Defult Domin Controllers Poliy, Step 5. Clik OK. The pop-up winow loses. 6 Close the Group Poliy Mngement Eitor n the Group Poliy Mngement winow. Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor 5

Configuring the Winows Domin Controller Mking your onfigurtion hnges tive By efult, the Winows DC opts the new poliy within five minutes, n omin memers opt the new poliy within two hours. To mke your onfigurtion hnges effetive immeitely, perform the following steps. 1 Selet Strt Progrms Aessories Commn Prompt. The Commn Prompt winow ppers. 2 In the Commn Prompt winow, type gpupte, then press Enter. When the ommn is omplete, the following text ppers: User Poliy upte hs omplete suessfully. Computer Poliy upte hs omplete suessfully. The Winows DC is now onfigure to ept NTLM uthentition requests from Firewll Enterprise. Configuring Winows Server 2003 To onfigure Winows Server 2003 DC, perform the following proeures: 1 Moifying the Domin Controller Seurity Poliy on pge 6 2 Moifying the Domin Seurity Poliy on pge 7 3 Mking your onfigurtion hnges tive on pge 7 Moifying the Domin Controller Seurity Poliy To moify the Defult Domin Controller Seurity Poliy: 1 Selet Strt Aministrtive Tools Domin Controller Seurity Poliy. The Defult Domin Controller Seurity Settings winow ppers. 2 In the Console Tree, expn Lol Poliies, then selet Seurity Options. 3 In the list of Poliy items, right-lik Mirosoft network server: Digitlly sign ommunitions (lwys), then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. Selet Disle. Clik OK. The pop-up winow loses. 4 In the list of Poliy items, right-lik Network seurity: LAN Mnger uthentition level, then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. From the rop-own list, selet one of the following options s pproprite for your network: Sen LM & NTLM responses Sen LM & NTLM use NTLMv2 session seurity if negotite Sen NTLM response only Note: Reor your seletion. You will use this setting in Moifying the Domin Seurity Poliy on pge 7. Clik OK. The pop-up winow loses. 5 Close the Defult Domin Controller Seurity Settings winow. 6 Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor

Configuring the Winows Domin Controller Moifying the Domin Seurity Poliy To moify the Defult Domin Seurity Poliy: 1 Selet Strt Aministrtive Tools Domin Seurity Poliy. The Defult Domin Seurity Settings winow ppers. 2 In the Console Tree, expn Lol Poliies, then selet Seurity Options. 3 In the list of Poliy items, right-lik Mirosoft network server: Digitlly sign ommunitions (lwys), then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. Selet Disle. Clik OK. The pop-up winow loses. 4 In the list of Poliy items, right-lik Mirosoft network server: Digitlly sign ommunitions (if lient grees), then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. Selet Disle. Clik OK. The pop-up winow loses. 5 In the list of Poliy items, right-lik Network seurity: LAN Mnger uthentition level, then selet Properties. In the pop-up winow tht ppers, perform the following steps: Confirm tht Define this poliy setting is selete. From the rop-own list, selet the option tht you hose in Step 4 on pge 6. Clik OK. The pop-up winow loses. 6 Close the Defult Domin Seurity Settings winow. Mking your onfigurtion hnges tive By efult, the Winows DC opts the new poliy within five minutes, n omin memers opt the new poliy within two hours. To mke your onfigurtion hnges effetive immeitely, perform the following steps. 1 Selet Strt Progrms Aessories Commn Prompt. The Commn Prompt winow ppers. 2 In the Commn Prompt winow, type gpupte, then press Enter. When the ommn is omplete, the following text ppers: User Poliy Refresh hs omplete. Computer Poliy Refresh hs omplete. The Winows DC is now onfigure to ept NTLM uthentition requests from Firewll Enterprise. Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor 7

Configuring the Firewll Enterprise Configuring the Firewll Enterprise To use NTLM uthentition, you must onfigure the Firewll Enterprise NTLM uthentitor, Pssport uthentitor, n the HTTP rule(s) tht will use the Pssport uthentitor. Configuring uthentitors Two Firewll Enterprise uthentitors must e use together to hieve trnsprent rowser uthentition with NTLM n Pssport. You must first onfigure the NTLM uthentitor so tht the firewll n ommunite with your Winows DC. Then, onfigure the Pssport uthentitor to he reentils tht re otine y the NTLM uthentitor. Configuring n NTLM uthentitor The NTLM uthentitor only nees to e set up one. Note: If you hve lrey onfigure n NTLM uthentitor, no hnges re neee. To onfigure n NTLM uthentitor: 1 Gther the IP ress, port, n nme of the trget Winows Domin Controller you pln to use. 2 In the Amin Console, selet Poliy Rule Elements Authentitors. 3 Clik the New ion n selet Winows. The New Authentitor winow ppers. 4 Clik New to your Winows Domin Controller. Use the informtion gthere in Step 1 n lik A. Note: Ensure tht the Winows Domin Controller Nme is the system nme of the ontroller n not the omin nme. 5 In the Authentition metho re, selet Trnsprent (NTLM) n lik A. Note: The trnsprent uthentition feture is supporte with Winows Domin Controllers only. Other types of uthentition servers re not supporte. 6 Sve your hnges. Configuring the Pssport uthentitor Pssport (previously known s Single Sign-On) works in onjuntion with speifie uthentition metho to he user s initil uthentition, therey reuing uthentition overhe n llowing ess to multiple servies with single suessful uthentition to the firewll. Configuring Pssport for version 7.x firewll Perform these steps to onfigure Pssport to he NTLM reentils. 1 In the Amin Console, selet Poliy Rule Elements Authentitors. 2 Selet Pssport from the list of uthentitors. 3 In the Authentitors to estlish Pssport reentils list, selet the NTLM uthentitor tht you rete in the Configuring n NTLM uthentitor setion. 4 From the Defult uthentitor rop-own list, selet the NTLM uthentitor tht you rete in the Configuring n NTLM uthentitor setion. 5 In the Authentitors to estlish Pssport reentils list, ler ll other uthentitors. 6 Mke sure tht Require We login is eselete, then sve your hnges. 8 Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor

Configuring the Firewll Enterprise 7 Verify tht the Pssport rule is enle. Note: The Pssport rule must e enle for Pssport uthentition to funtion. Selet Poliy Rules. The Rules winow ppers. Selet the rule title Pssport. If the Pssport rule is isle, lik Enle in the toolr. Sve your hnges. Configuring Pssport for version 8.x firewll Perform these steps to onfigure Pssport to he NTLM reentils. 1 In the Amin Console, selet Poliy Rule Elements Pssport. 2 Clik the Generl t. 3 In the Estlish pssport reentils re, selet the Ative hekox. 4 Uner Authentition moe, selet Inn. 5 In the Authentitors to estlish Pssport reentils list, selet the NTLM uthentitor tht you rete in the Configuring n NTLM uthentitor setion. 6 From the Defult uthentitor rop-own list, selet the NTLM uthentitor tht you rete in the Configuring n NTLM uthentitor setion. 7 In the Authentitors to estlish Pssport reentils list, ler ll other uthentitors. 8 Sve your hnges. Aing NTLM uthentition to rules NTLM uthentition is enfore vi proxy rules on per-rule sis. The following proeure explins how to enle NTLM uthentition on HTTP trffi in onjuntion with the Pssport uthentitor. Enling NTLM uthentition for version 7.x firewll Perform these steps to enle NTLM uthentition for HTTP trffi. 1 Selet Poliy Rules. If you re reting new rule, lik New Rule, then fill in the Nme, Soure, n Destintion res. If you re moifying n existing rule, selet the rule, then lik Moify. 2 In the Servie fiel, selet or verify the HTTP proxy servie the rule will use. If you wnt to llow HTTPS onnetions s well, rete servie group tht ontins oth HTTP n HTTPS proxies, n selet tht servie group on the rule. Note: MAfee reommens the non-trnsprent HTTP (NT-HTTP) onnetion type. If your rule llows trnsprent HTTP n HTTPS onnetions, users must visit non-enrypte site (HTTP) efore visiting enrypte sites (HTTPS). 3 From the Authentitor rop-own list, selet Pssport. 4 Sve your hnges. NTLM uthentition will now e performe on HTTP onnetions tht mth the rule. Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor 9

Configuring the users rowsers Enling NTLM uthentition for version 8.x firewll Perform these steps to enle NTLM uthentition for HTTP trffi. 1 Selet Poliy Aess Control Rules. If you re reting new rule, lik New Rule, then fill in the Nme, Soure, n Destintion res. If you re moifying n existing rule, selet the rule, then lik Moify. 2 Uner Applitions, selet or verify the HTTP proxy servie the rule will use. The Defult ports tht llow HTTP n HTTPS re 80 n 443. Selet Overrie ports if you require ports other thn the efult ports. Note: MAfee reommens the non-trnsprent HTTP (NT-HTTP) onnetion type. If your rule llows trnsprent HTTP n HTTPS onnetions, users must visit non-enrypte site (HTTP) efore visiting enrypte sites (HTTPS). 3 From the Authentitor rop-own list, selet <None/Pssport>. 4 Uner Soure, lik Users n Groups. 5 Clik the Groups t n selet the <Authentite> hekox. 6 Clik OK n sve your hnges. NTLM uthentition will now e performe on HTTP onnetions tht mth the rule. Configuring the users rowsers To onfigure users rowsers to perform Integrte Winows Authentition with Firewll Enterprise, perform the pproprite proeure. Configuring Mirosoft Internet Explorer on pge 10 Configuring Mozill Firefox on pge 11 Configuring Mirosoft Internet Explorer To onfigure Mirosoft Internet Explorer, perform the following steps. Note: This proeure is vli for Mirosoft Internet Explorer version 6 or lter. 1 From the Tools menu, selet Internet Options. The Internet Options winow ppers. 2 A the firewll IP ress to the Lol intrnet zone. e f Clik the Seurity t. Selet Lol intrnet, then lik Sites. A pop-up winow ppers. Clik Avne. An itionl pop-up winow ppers. In the A this wesite to the zone fiel, type https://firewll_ip, where firewll_ip is the firewll IP ress tht the omin routes trffi to. Clik A. The firewll IP ress is e to the list of Lol intrnet wesites. Close the pop-up winows until you return to the Seurity t on the Internet Options winow. 10 Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor

Configuring the users rowsers 3 Moify seurity settings for the Lol intrnet zone. On the Seurity t, lik Custom level. The Seurity Settings Lol Intrnet Zone winow ppers. Uner Misellneous, enle the Allow META REFRESH option. Uner User Authentition, selet one of the following options: Automti logon only in Intrnet zone Automti logon with urrent use nme n psswor Clik OK to lose the Seurity Settings Lol Intrnet Zone winow. 4 Moify seurity settings for the Internet zone. Selet Internet, then lik Custom level. The Seurity Settings Internet Zone winow ppers. Uner Misellneous, enle the Allow META REFRESH option. Clik OK to lose the Seurity Settings Internet Zone winow. 5 Enle the trnsprent uthentition option. Clik the Avne t. Uner Seurity, selet Enle Integrte Winows Authentition. Tip: You must sroll own to see this option. Clik OK to lose the Internet Options winow. Restrt Internet Explorer. Configuring Mozill Firefox To onfigure Mozill Firefox, perform the following steps. Note: This proeure is vli for Mozill Firefox version 1.0 or lter. 1 Strt Firefox. 2 In the ress r, type out:onfig, then press Enter. 3 In the Filter fiel, type ntlm. The serh results pper. 4 Doule-lik network.utomti-ntlm-uth.truste-uris. The Enter string vlue winow ppers. 5 Type the IP ress of the firewll, then lik OK. 6 Restrt Firefox. Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor 11

Appenix Appenix This setion overs itionl issues relte to NTLM. The following topis re inlue: Configuring MAfee SmrtFilter n NTLM on pge 12 Avoiing ertifite errors on pge 14 Avoiing unsupporte onfigurtions on pge 16 Configuring MAfee SmrtFilter n NTLM Firewll Enterprise n work together with MAfee SmrtFilter to ontrol users Internet ess y performing ontent filtering. When NTLM uthentition is use in the firewll rules tht llow users we trffi, SmrtFilter supports using Ative Diretory groups in the SmrtFilter poliy. Requirements Before onfiguring Firewll Enterprise n SmrtFilter to shre group informtion, mke sure you hve omplete the following: Firewll Enterprise: Enle n onfigure SmrtFilter Configure the firewll to use the sme Winows Domin Controller s SmrtFilter Note: The Winows DC must hve n LDAP iretory populte with the pproprite user groups. SmrtFilter: Instlle n onfigure the SmrtFilter Amin Console n SmrtFilter Amin Server Note: If you pln to llow some users overrie privileges, lso instll n onfigure the SmrtFilter Authentition Server. Configure SmrtFilter to point to the sme Winows DC tht the Firewll Enterprise points to Note: The Winows DC must hve n LDAP iretory populte with the pproprite user groups. Crete the SmrtFilter poliies tht you will ssign to the user groups SmrtFilter n Firewll Enterprise onfigurtion 1 In the SmrtFilter Amin Console, the LDAP iretory. In the top pnel, selet Enterprise Settings. In the lower pnel, selet Diretory Resoures. Clik A, then onfigure the following fiels: In the Nme fiel, enter the host nme of your omin ontroller. In the Aress fiel, enter the host nme or IP ress of your omin ontroller. From the Type rop-own list, selet Ative Diretory. Selet Allow Winows NTLM Authentition. e f g Clik Auto Config. A pop-up winow ppers. In the pop-up winow, enter your iretory reentils, then lik OK. Another pop-up winow ppers. In the pop-up winow, selet the pth tht ontins the SmrtFilter groups the firewll will use, then lik Selet. You return to the Diretory Resoures winow. Clik OK. The omin ontroller is e to the list of iretory resoures. 12 Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor

Appenix 2 A the LDAP iretory to the pproprite firewll plugin. e f In the top pnel, selet Iniviul Plugins, then selet the firewll plugin. In the ottom pnel, selet Apply Poliies Configure Groups Diretories. Move the LDAP iretory from the right-hn re to the left-hn re. If you hve more thn one iretory liste, position them in the orer SmrtFilter shoul serh them. Clik OK. A onfirmtion winow ppers. Clik Yes. 3 Mth eh user group to SmrtFilter poliy. In the ottom pnel, selet Apply Poliies Group Poliies. Clik A. Use the Serh Diretories utton (...) to look up groups on the LDAP iretory. For eh group, selet the pproprite poliy, then lik OK. 4 In the toolr, lik the Downlo Control List ion to otin the ltest ontrol list. 5 Deploy your hnges to the firewll plugin. 6 On the Firewll Enterprise, fin the rule you rete or moifie in Aing NTLM uthentition to rules on pge 9. Mke sure tht SmrtFilter is enle on the rule s Applition Defense. 7 Sve your hnges. Your Firewll Enterprise now filters we trffi oring to the ssigne SmrtFilter poliy n Ative Diretory groups. Grnting users SmrtFilter overrie pilities You my wnt to llow some users to overrie SmrtFilter poliy. Follow this proeure to grnt overrie privileges to users tht require them. Note: To follow this proeure, you must hve the SmrtFilter Authentition Server instlle. 1 In the SmrtFilter Amin Console, the LDAP iretory to the SmrtFilter Authentition Server. e In the top pnel, selet Authentition Servers, then selet the uthentition server. In the lower pnel, selet Authentition Diretories. Move the LDAP iretory from the right-hn re to the left-hn re. If you hve more thn one iretory liste, position them in the orer SmrtFilter shoul serh them. Clik OK. 2 Selet the SmrtFilter Authentition Server on the firewll plugin. In the top pnel, selet Iniviul Plugins, then selet the firewll plugin. In the lower pnel, selet Set Avne Options Authentition. Ensure tht the uthentition server is selete from the SmrtFilter Authentition Server rop-own list. Clik OK. 3 Configure overrie ounts. In the ottom pnel, selet Apply Poliies Overries. Clik A. Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor 13

Appenix e Use the Serh Diretories utton (...) to rowse to the LDAP iretory ontining the user groups to e use with the firewll. Fin eh user tht requires overrie pilities, n their nme to the list. Clik OK. 4 Deploy your hnges to the firewll plugin. Avoiing ertifite errors Most moern rowsers exmine SSL ertifites presente to them to ensure they re vli n truste. Pssport presents n SSL ertifite to users rowsers when uthentition tkes ple. Issues to ress You my nee to ress some or ll of the following issues to voi ertifite errors uring Pssport uthentition: The Pssport ertifite must e signe y Certifite Authority (CA) tht is truste y the rowser. For etils, see the Certifite/Key Mngement hpter of the MAfee Firewll Enterprise Aministrtion Guie. The Common Nme (CN) use in the Distinguishe Nme (DN) of the Pssport ertifite must mth the host nme of the firewll. For etils, see the Certifite/Key Mngement hpter of the MAfee Firewll Enterprise Aministrtion Guie. The lient (rowser) must e le to resolve the firewll s host nme to the IP ress of the firewll in the sme zone using DNS. Pssport must e onfigure to reiret uthentition sessions to the host nme of the firewll rther thn its IP ress. By efult, Pssport uses self-signe SSL ertifite. To stisfy the onitions ove, you my nee to rete or import new ertifite for use with Pssport. To selet ifferent Pssport ertifite, go to Poliy Applition Defenses Defenses HTTPS Pssport, n selet the esire ertifite from the Firewll ertifite rop-own list. 14 Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor

Appenix Configuring Pssport to reiret to host nme By efult, Pssport reirets uthentition sessions to the firewll IP ress in the sme zone s the lient. This my use ertifite wrnings, sine mny we rowsers ompre the reiret estintion to the host nme in the SSL ertifite presente y Pssport. To voi these errors, you n onfigure Pssport to reiret uthentition sessions to the firewll s host nme. Note: Your firewll must e t version 7.0.0.05 or lter to reiret Pssport sessions to host nme. To onfigure Pssport to reiret to host nme, eit the httpp.onf file, then restrt the HTTP n HTTPS proxies. 1 Open the httpp.onf file. In the Amin Console, go to Mintenne File Eitor, then lik Strt File Eitor in the right pne. The File Eitor winow ppers. From the File menu, selet Open. The Open File winow ppers. In the Soure fiel, selet Firewll File. In the File fiel, type /seureos/et/proxy/httpp.onf, then lik OK. The httpp.onf file opens in the File Eitor. 2 Eit the httpp.onf file. Sroll own to the SSO host nme omments setion. Figure 2 Exmple onfigurtion hnge After the SSO omments, type the following: sso_hostnme(* firewll_hostnme) where firewll_hostnme is the firewll host nme. Note: This moifition ffets Pssport reiretion for ll zones. You n lso onfigure the reiretion ehvior on per-zone sis. See the omments in httpp.onf for etils. Sve your hnges, then lose the File Eitor. Configuring Integrte Winows Authentition s MAfee Firewll Enterprise Authentitor 15

3 Restrt the HTTP n HTTPS proxies. Selet Monitor Servie Sttus. The Servie Sttus winow ppers. To restrt the HTTP proxy, right-lik http in the Servie list, then selet Restrt. To restrt the HTTPS proxy, right-lik https in the Servie list, then selet Restrt. Tip: If either proxy is not running, it will not pper in the list of servies. The hnges you me will tke effet when the proxy is enle. Pssport will now reiret uthentition sessions to the host nme you speifie in httpp.onf. Avoiing unsupporte onfigurtions NTLM sees eh onnetion s single person. If you hve hing evie set up etween your internl users n your firewll, the hing evie will present one onnetion on ehlf of ll users. This onfigurtion will not urtely uthentite users n n use prolems. This onfigurtion is unsupporte. Figure 3 Unsupporte hing onfigurtion Winows Domin Controller Internet R internl users hing server MAfee Firewll Enterprise Using hing server on the externl sie of the firewll oes not use the sme prolem. 700-3248A00

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information