WinRoute Firewall
Summary
WinRoute Firewall supports NTLM authentication, so that users can
authenticate to the firewall without having to type in their username and
password on the firewall\'s login screen. This article explains how to set up a
WinRoute Firewall machine to accept NTLM authentication.
Discussion
For this article, we assume that you have three computers:
- The Domain Controller: This machine is the Primary Domain
Controller for your Windows domain (NT or Active Directory).
- WinRoute computer: This machine holds (or will hold)
WinRoute, and is set to be the default gateway of your Local Area Network.
- Client computer: This is a computer on your Local Area
Network, being used by a person.
Set up your Domain
- Set up your Primary Domain Controller or Active Directory controller for
your NT or Active Directory domain.
- Join the future WinRoute computer into the Windows domain.
- Install WinRoute on that computer. (Note: Winroute must
run as a Service, or as an application under a user with Administrative
rights to the local computer.)
- Add client computer into domain. User must then logon to the domain (not
the local computer).
Set up WinRoute Firewall
- Using the Kerio Administration Console, connect to WinRoute Firewall.
- In the Traffic Policy, make sure that the NetBIOS-DGM and NetBIOS-SSN
services are allowed from the WinRoute machine to the domain controller.
- In "Users and Groups -> Users," add users from your domain
into WinRoute Firewall (Note: users must have the same
username as they do in your domain).
- For "Authentication," in the Add User screen, choose Windows
NT Domain for an NT4 domain, or Kerberos 5 for an Active
Directory domain.
- Under Advanced Options -> User Authentication, make sure there is a
check next to "Use NTLM authentication for MSIE browsers."
- In that same Advanced Options -> User Authentication tab, enter the
name of your domain. For an NT domain, use the "NT domain" box.
For an Active Directory domain, use the "Kerberos realm" box.
- In that same tab, fill the "WinRoute server name" with a name
that can be resolved by the client.
Remember, if you give WinRoute a name with no periods in it, the client
will use their DNS suffix to resolve that name. For example, if WinRoute is
called "gw", and the client\'s DNS suffix is "localdomain",
then the client will try to resolve "gw.localdomain". Make sure
that whatever you put in the "WinRoute server name" box resolves
to a valid IP for your LAN.
- Uncheck the "SSL has priority" option.
- In "Configuration -> Content Filtering -> HTTP Policy,"
enable the "Authenticate all users" HTTP rule. (Or, create a less
restrictive rule if you want to.)
Congratulations ! NTLM authentication now should work.
Troubleshooting
- Login dialog (not login page) in MS IE appears
Check if Winroute\'s name (In "Advanced Options -> User
Authentication -> WinRoute server name") resolves correctly on the
local network. Using the IP address of the WinRoute machine will not work.
You can also add this name into "Local network" group in MS IE\'s
configuration.
- Login page displayed
Do not use a proxy server. NTLM works on direct connections only. If you
are not using a proxy server, check WinRoute\'s error log to determine the
reason for your problem.