IWA authentication for SOCKS using the OpenText SOCKS client
search cancel

IWA authentication for SOCKS using the OpenText SOCKS client

book

Article ID: 166657

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

SOCKS v5 supports basic authentication, but basic credentials are not secured when transmitted from the client to the ProxySG appliance. OpenText has implemented a more secure authentication method in their SOCKS client (formerly Hummingbird). See the Additional Information section below for details from Open Text release notes.

Resolution

The OpenText SOCKS Client supports IWA authentication using HTTP in the background to 'open the door' for SOCKS. This feature requires an IP surrogate on the ProxySG appliance. Configure the ProxySG appliance and OpenText SOCKS client as follows:

 

Requirements for the ProxySG appliance

  • Enable the SOCKS proxy service 
  • Enable the explicit HTTP proxy service 
  • Configure the IWA realm ("AD" in the following examples)

 

ProxySG policy configuration (version 6.7.x)

In version 6.7.x, install the following CPL policy:  

; use mode 'proxy' instead of 'proxy-ip' for non-socks traffic
; this refreshes the surrogate time when the SOCKS client makes a HTTP request for authentication
<proxy> client.protocol=!socks
  authenticate(AD) authenticate.mode(proxy)
<proxy> client.protocol=socks
  socks.authenticate(AD) authenticate.mode(proxy-ip)

ProxySG policy configuration (version 7.2.x and 7.3.x)

Note: Earlier versions of 7.x do not support the following policy, which includes a policy gesture introduced inversions 7.2.8.1 and 7.3.4.1.

In version 7.2.8.x and later, and version 7.3.4.x and later, install the following CPL policy:

; use the IWA realm "AD" for all SOCKS and non-SOCKS traffic with auth mode = proxy-ip
; use mode 'proxy' instead of 'proxy-ip' for non-socks traffic
; this refreshes the surrogate time when the SOCKS client makes a HTTP request for authentication
<proxy> client.protocol=!socks
  authenticate(AD) authenticate.mode(proxy)
<proxy> client.protocol=socks
  socks.authenticate(AD) socks.authenticate.mode(proxy-ip)

 

If this policy is installed and successful HTTP authentication has occurred, SOCKS requests will succeed without SOCKS authentication. If the default policy is deny, you must add rules to allow HTTP and SOCKS after successful authentication.

Note: This policy works as expected when client IP addresses are unique; for example, this does not work for terminal servers.

 

OpenText SOCKS client configuration

Add a new profile and choose "Blue Coat HTTP" as authentication type:

 

The SOCKS client connects to the HTTP proxy for IWA (specifically NTLM) authentication. 

By default, the SOCKS client makes a request to the proxy IP address for authentication (using the explicit proxy settings displayed above). It does not request a webpage 'behind' the ProxySG appliance.

To configure a URL 'behind' the ProxySG appliance (recommended):

  1. Open the profile with a text editor.
  2. Add the line "HttpProxyUrlRequest=http://www.google.com". See the following screenshot to determine the correct position of this line:

Important: If you manually clear the credential cache or if you install a new policy, SOCKS communication fails until the SOCKS client refreshes HTTP authentication. You can also restart the client for re-authentication.

Additional Information

Refer to the following details from the OpenText release notes:

SOCKS Client - 14.00.03.131

Service Pack release date: Thursday, June 10, 2010

 

Blue Coat HTTP Authentication

Issue ID: 40881

Component: SOCKS Client

Notes: Open Text SOCKS Client now supports Blue Coat HTTP authentication for Blue Coat SOCKS servers.

 

To add a Blue Coat HTTP authentication SOCKS server to Open Text SOCKS Client:

1. Right-click on the Open Text SOCKS Client icon in the Windows Taskbar Notification Area and select New Profile. Open Text SOCKS Client Profile Editor opens.

2. In the Settings pane, click Servers.

3. In the Configured Servers area, click Add. The Add SOCKS Server dialog box opens.

4. Provide the following information:

Server Address — Enter an IP address or a server name.

Port — Change the port from the default (1080) if necessary.

Version — Open Text SOCKS Client only support version 5 SOCKS servers for Blue Coat HTTP authentication.

Authentication Type — Select Blue Coat HTTP. Open Text SOCKS Client authenticate the Blue Coat HTTP connection with either the username and password of the user logged into the client system, or with the supplied Username and Password.

5. From the Blue Coat Settings dialog, users can change the HTTP proxy address, port and authentication refresh time interval.

If Open Text SOCKS Client Dashboard is running, it will auto refresh the Blue Coat HTTP authentication at the configured refresh time interval.

Users can stop the authentication auto refresh by either select the "Stop Blue Coat Authentication Auto Refresh", uncheck "Enable Open Text SOCKS Client", or "Exit" from the Open Text SOCKS Client Dashboard tray menu.

Note: Blue Coat SOCKS server is required to configure/support both HTTP proxy and SOCKS5 anonymous authentication.

Powered by Wolken Software