Dec 10, 2024 
Support Center » Knowledgebase » Kerio Control » How do I set up NTLM authentication to work with WinRoute Firewall?
 How do I set up NTLM authentication to work with WinRoute Firewall?
Solution WinRoute Firewall

Summary

WinRoute Firewall supports NTLM authentication, so that users can authenticate to the firewall without having to type in their username and password on the firewall\'s login screen. This article explains how to set up a WinRoute Firewall machine to accept NTLM authentication.

Discussion

For this article, we assume that you have three computers:

  • The Domain Controller: This machine is the Primary Domain Controller for your Windows domain (NT or Active Directory).
  • WinRoute computer: This machine holds (or will hold) WinRoute, and is set to be the default gateway of your Local Area Network.
  • Client computer: This is a computer on your Local Area Network, being used by a person.

Set up your Domain

  1. Set up your Primary Domain Controller or Active Directory controller for your NT or Active Directory domain.
  2. Join the future WinRoute computer into the Windows domain.
  3. Install WinRoute on that computer. (Note: Winroute must run as a Service, or as an application under a user with Administrative rights to the local computer.)
  4. Add client computer into domain. User must then logon to the domain (not the local computer).

Set up WinRoute Firewall

  1. Using the Kerio Administration Console, connect to WinRoute Firewall.
  2. In the Traffic Policy, make sure that the NetBIOS-DGM and NetBIOS-SSN services are allowed from the WinRoute machine to the domain controller.
  3. In "Users and Groups -> Users," add users from your domain into WinRoute Firewall (Note: users must have the same username as they do in your domain).
  4. For "Authentication," in the Add User screen, choose Windows NT Domain for an NT4 domain, or Kerberos 5 for an Active Directory domain.
  5. Under Advanced Options -> User Authentication, make sure there is a check next to "Use NTLM authentication for MSIE browsers."
  6. In that same Advanced Options -> User Authentication tab, enter the name of your domain. For an NT domain, use the "NT domain" box. For an Active Directory domain, use the "Kerberos realm" box.
  7. In that same tab, fill the "WinRoute server name" with a name that can be resolved by the client.

    Remember, if you give WinRoute a name with no periods in it, the client will use their DNS suffix to resolve that name. For example, if WinRoute is called "gw", and the client\'s DNS suffix is "localdomain", then the client will try to resolve "gw.localdomain". Make sure that whatever you put in the "WinRoute server name" box resolves to a valid IP for your LAN.

  8. Uncheck the "SSL has priority" option.
  9. In "Configuration -> Content Filtering -> HTTP Policy," enable the "Authenticate all users" HTTP rule. (Or, create a less restrictive rule if you want to.)

Congratulations ! NTLM authentication now should work.

Troubleshooting

  • Login dialog (not login page) in MS IE appears

    Check if Winroute\'s name (In "Advanced Options -> User Authentication -> WinRoute server name") resolves correctly on the local network. Using the IP address of the WinRoute machine will not work. You can also add this name into "Local network" group in MS IE\'s configuration.

  • Login page displayed

    Do not use a proxy server. NTLM works on direct connections only. If you are not using a proxy server, check WinRoute\'s error log to determine the reason for your problem.



Article Details
Article ID: 45
Created On: Aug 11, 2004 10:29 AM

 This answer was helpful  This answer was not helpful

 Back
 Login [Lost Password] 
Email:
Password:
Remember Me:
 
 Search
 Article Options
Home | Register | Submit a Ticket | Knowledgebase | News | Downloads
Language: