Applies To:Show Versions
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Overview: Authenticating SWG users with NTLM
You can include authentication in the access policy in a Secure Web Gateway (SWG) explicit or transparent forward proxy configuration. When you do so if the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5 recommends using Kerberos or NTLM authentication.
This implementation includes steps for configuring the NTLM authentication objects that you need to have in place before you configure NTLM authentication in an SWG explicit or transparent forward proxy access policy.
Configuring a machine account
- On the Main tab, click A new Machine Account screen opens. .
- In the Configuration area, in the Machine Account Name field, type a name.
- In the Domain FQDN field, type the fully qualified domain name (FQDN) for the domain that you want the machine account to join.
- Optional: In the Domain Controller FQDN field, type the FQDN for a domain controller.
- In the Admin User field, type the name of a user who has administrator privilege.
- In the Admin Password field, type the password for the admin user. APM uses these credentials to create the machine account on the domain controller. However, APM does not store the credentials and you do not need them to update an existing machine account configuration later.
- Click Join.
Creating an NTLM Auth configuration
- On the Main tab, click A new NTLM Auth Configuration screen opens. .
- In the Name field, type a name.
- From the Machine Account Name list, select the machine account configuration to which this NTLM Auth configuration applies. You can assign the same machine account to multiple NTLM authentication configurations.
For each domain controller, type a fully qualified domain name (FQDN) and click
Note: You should add only domain controllers that belong to one domain.By specifying more than one domain controller, you enable high availability. If the first domain controller on the list is not available, Access Policy Manager tries the next domain controller on the list, successively.
- Click Finished.
Maintaining a machine account
- On the Main tab, click The Machine Account screen opens. .
- Click the name of a machine account. The properties screen opens and displays the date and time of the last update to the machine account password.
- Click the Renew Machine Password button. The screen refreshes and displays the updated date and time.