Sadly it looks like the UTM is going to cause me some extra work. I know it's down to the way we have it setup on our network, but it's a bit of a frustration that means we can't use browser based authentication.
Our UTM is setup as a perimeter device. It should have no direct connection to the internal LAN, not even for authentication. So authentication is done by LDAP proxy. This authentication works just fine. However, because all user traffic is NAT'ed through an internal firewall it appears that the UTM then decides that all traffic from that one IP address belongs to the first user who logs on using browser authentication [[:(]]
So it seems that browser auth only links logged on users to the IP address. I guess I was hoping it would have some session based cookie or the like.
If I temporarily allow the UTM to talk with our AD servers and use AD SSO then the NTLM authentication works as expected and traffic is associated to the authenticated user. I'm guessing because NTLM has the authentication details in a packet that gets sent to through the internal firewall and to the UTM.
Next step is to install a Read Only Domain Controller (RODC) so that the UTM can authenticate with that using NTLM rather than LDAP. Which is sad because it means I can't use a browser unless it's NTLM capable and we all know what that means [[:(]]
Anyone got any thoughts on this?
This thread was automatically locked due to age.
