NimbostratusDear all,
we are using Brett Smith's explicit proxy iApp and are trying to implement
some sort of user authentication to control internet access.
For instance applying such a profile
does not work, the client's browser (IE) is directed immediately to the logout page
WITHOUT showing us the Message Box.
Any hint, idea are welcome!
THX, Rainer
Employeehello, possible explanation :you never ask for ntlm authentication, thus when you check the authentication it's failing ? i think you should have at least a 401 authentication to prompt end user authentication, and eca profile attached to virtual and associated ntlm config in APM
NimbostratusArnaud,
 
you are saying to follow Kevin's excellent guide, isn't: 
https://devcentral.f5.com/s/articles/configuring-apm-client-side-ntlm-authentication 
By the way, why is this profile not working: 
Start ---fallback--- Message Box ---fallback--- Deny 
At least i would expect to see the content of the Message Box, which we don't. 
Employeecould you output /var/log/apm to see any error ?
NimbostratusSorry,
I mean this profile:
Start ---fallback--- Message Box ---fallback--- ALLOW
We see the logout page and no message box output in /var/log/apm
EmployeeAnd to respond to your question ntlm auth is a bit tricky, it's running "before" policy evaluation, in case of failure you're drop without going through the VPE.
NimbostratusNow I'm totally confused since we have only applied this VPE
Start ---fallback--- Message Box ---fallback--- ALLOW
There is no ntlm auth defined nevertheless we see the logout page
and no message box output in /var/log/apm
Strange, isn't?
Employeeif you setup the ntlm configuration as in Kevins guide, with the eca profile and irule it should trigger authentication on the client side. can you see the ntlm exchange on a pcap or via the browser dev tools ?
NimbostratusWhat we did at the moment is this:
 
1. Installation of the APM Explicit Proxy iApp 
https://devcentral.f5.com/s/articles/apm-explicit-proxy 
2. Applying this simple profile
 
 
3. Nothing else 
At least i would expect to see the content of the Message Box, which we don't. 
We are directing immediately to the logout page. Why? 
MVPi would have a good look if you configured it all correctly, connected the right access policy, applied the policy, things like that.
which version btw?
NimbostratusAah now i got it after reading the manual chapter "Explicit Forward proxy"
The iApp mentioned above is creating a tunnel where another virtual server
can be defined to listen on the tunnel for the requested outbound connection
and the system processes the outbound traffic before it leaves the device.
For my further understanding why is a tunnel established by the explicit proxy
I mean where is this tunnel, in the BIG-IP or between BIG-IP and the client or ....
Many thanks for any explanation!
Rainer