Lab 3: Explicit Proxy Authentication – NTLM

In this lab exercise, you will reconfigure authentication for seamless login of AD domain-joined client using NTLM.

Estimated completion time: 25 minutes

Objectives:

  • Enable APM client-side NTLM authentication for the SWG explicit proxy
  • Test web browsing behavior

Lab Requirements:

  • Lab 1 previously completed successfully (working SWG iApp deployment)

Task 1 – Logout and log back in as domain user

  • Logout of the windows remote desktop.
  • Login as a domain user with the following credentials (Switch User/Other User):
    • Username : F5DEMO\\user1
    • Password: AgilityRocks!

Task 2 – Join BIG-IP to Domain

  • Use Firefox to access the BIG-IP GUI (https://10.1.1.10, admin/admin)

  • Browse to Access ›› Authentication : NTLM : Machine Account

  • Click Create

  • Fill out the fields as follows:

    • Name: agility-ntlm
    • Machine account: bigip1
    • Domain FQDN: f5demo.com
    • Domain controller FQDN: f5demo-dc.f5demo.com
    • Admin user: admin
    • Admin password: AgilityRocks!

    image26

  • Click Join

  • Create a new NTLM Auth Configuration

  • Browse to Access ›› Authentication : NTLM : NTLM Auth Configuration

  • Click Create

    Name: agility-ntlm

    Machine Account Name: agility-ntlm

    Domain controller FQDN: f5demo-dc.f5demo.com

    Click Add

    image27

  • Click Finished

Task 3 – Create a new Access Policy

  • Browse to Access >> Profiles / Policies >> Access Profiles (Per-Session Policies) and click Create…
  • Name the profile AP_Explicit_NTLM
  • Change the Profile Type to SWG-Explicit

Under Configurations:

Modify User Identification Method to Credentials

Modify NTLM Auth Configuration to agility-ntlm

  • Add English to Accepted Languages

  • Accept all other default settings and click Finished

  • Click on the Edit… link for the appropriate Access Policy created above

  • On the VPE browser tab, select the + between Start and Deny and Add a NTLM Auth Result object (from the Authentication tab)

  • Click Save

  • On the Successful branch of the NTLM Auth Result Object, click on the Deny Ending and change it to Allow

  • Click Save

  • Click Apply Access Policy

    image28

Task 4 – Reconfigure SWG iApp to apply NTLM Access Policy

  • Browse to “iApps >> Application Services > Applications
  • Click on SWG
  • Click Reconfigure
  • Find the section Which SWG-Explicit Access Policy do you want to use?
  • Change the per-request policy to AP_Explicit_NTLM
  • Browse to the bottom and click Finished

Task 5 – Testing

Before testing, close all browser sessions and kill all session in the GUI under Access > Overview > Active Sessions

  • Open Internet Explorer on your Jump Host client machine
  • Browse to https://www.f5.com. The browser should not prompt you for authentication since NTLM authentication is happening in the background (transparent to the user).
  • Examine the user session details under Access > Overview > Active Sessions. Click on the session ID for details. You can see that NTLM authentication was performed.

image29image30