Users periodically receive block page with Symantec Web Gateway (SWG) 5.0.x configured for NTLM 407 authentication

book

Article ID: 155720

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

When the Symantec Web Gateway (SWG) 5.0.x is configured in proxy mode and for NTLM 407 authentication, users experience brief periods where they receive the blocked page. The SWG administrator may also notice end user machines reported under the wrong policy group within the Reports of SWG.

Affects SWG 5.0.2 and 5.0.3

Cause

This issue appears to be caused by a bug in the Symantec Web Gateway's LDAP module. 

Randomly throughout the day when the Web Gateway attempts to authenticate a user with the Domain Controller the authentication does not occur correctly.  The LDAP module of SWG does not log an LDAP authentication failure, and therefore a retry does not occur.  Instead, SWG treats the failure as if it was a successful authentication, even though the LDAP module does not associate the user with the IP address of the users machine.  Because we do not associate the user with his/her machine's IP address, the Policy Manager component of SWG applies the default policy, instead of the correct policy containing the user.  Typically, the next user authentication is successful, and the Web Gateway will begin apply the correct policy to that users request again.

Resolution

SWG5.0.3 resolved this issue where the cause is an empty username was received by SWG which fell into the default policy and eventually end user received the blocking page. Please upgrade to SWG5.0.3 to determine whether this eliminates all behaviour of this type within your environment.


The following partial workarounds may decrease end user impact:

  1. In the SWG UI, navigate to Administration> Configuration.
  2. On the Authentication tab, in the "Authentication TTL" field, please leave this value at 15 minutes and if possible increase the value.  If the protected machines behind Web Gateway are not shared by multiple users, it is asked that the Authentication TTL be increase to 480 minutes. 
  3. Click Save.

NOTE: It is not recommended to set TTL to zero. A shorter TTL time also results in an increased load on the Web Gateway.  Setting the Authentication TTL to 0 will cause the Web Gateway to re-authenticate on every request.
 

If symptoms persist, please contact support for further assistance. 


Applies To

Symantec Web Gateway 5.0.2 / 5.0.3 in Proxy mode and NTLM 407 Authentication