IWA authentication for SOCKS using the OpenText SOCKS client

book

Article ID: 166657

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Customers using authentication for SOCKS could use basic authentication, which is supported by SOCKSv5. For many customers this is not an option anymore, because basic credentials are not secured when they are transmitted from client to ProxySG.

OpenText has implemented a more secure authentication method in their SOCKS client.

Resolution

OpenText has implemented a feature in their SOCKS client (fka. Hummingbird) which support IWA authentication using HTTP in the background to "open the door" for SOCKS. This new feature requires an ip surrogate on the ProxySG. 

 

Here are details form the OpenText release notes:

SOCKS Client - 14.00.03.131

Service Pack release date: Thursday, June 10, 2010

 

Blue Coat HTTP Authentication

Issue ID: 40881

Component: SOCKS Client

Notes: Open Text SOCKS Client now supports Blue Coat HTTP authentication for Blue Coat SOCKS servers.

 

To add a Blue Coat HTTP authentication SOCKS server to Open Text SOCKS Client:

1. Right-click on the Open Text SOCKS Client icon in the Windows Taskbar Notification Area and select New Profile. Open Text SOCKS Client Profile Editor opens.

2. In the Settings pane, click Servers.

3. In the Configured Servers area, click Add. The Add SOCKS Server dialog box opens.

4. Provide the following information:

Server Address — Enter an IP address or a server name.

Port — Change the port from the default (1080) if necessary.

Version — Open Text SOCKS Client only support version 5 SOCKS servers for Blue Coat HTTP authentication.

Authentication Type — Select Blue Coat HTTP. Open Text SOCKS Client authenticate the Blue Coat HTTP connection with either the username and password of the user logged into the client system, or with the supplied Username and Password.

5. From the Blue Coat Settings dialog, users can change the HTTP proxy address, port and authentication refresh time interval.

If Open Text SOCKS Client Dashboard is running, it will auto refresh the Blue Coat HTTP authentication at the configured refresh time interval.

Users can stop the authentication auto refresh by either select the "Stop Blue Coat Authentication Auto Refresh", uncheck "Enable Open Text SOCKS Client", or "Exit" from the Open Text SOCKS Client Dashboard tray menu.

Note: Blue Coat SOCKS server is required to configure/support both HTTP proxy and SOCKS5 anonymous authentication.

 

###########################

 

 

Here is the required ProxySG configuration / policy:

 

- SOCKS service has to be enabled

- Explicit HTTP service has to be enabled

- IWA realm has to be configured ("AD" in my example)

 

Policy:

Due to the fact that proxy-ip is not supported for SOCKS within the Visual Policy Manager, you have to use the following CPL:

  

<proxy> client.protocol=!socks

authenticate(AD) authenticate.mode(proxy); Note: mode = proxy instead of proxy-ip for non-socks traffic. This refreshes the surrogate time when the SOCKS client makes a HTTP request for authentication.

<proxy> client.protocol=socks

socks.authenticate(AD) authenticate.mode(proxy-ip)

 

This policy uses the IWA realm "AD" for all SOCKS and non-SOCKS traffic with auth mode = proxy-ip.

After a successful HTTP authentication a user is able to use SOCKS without SOCKS authentication, too.

If your default policy is deny, of course you have to add additional rules to allow HTTP and SOCKS after successful authentication.

 

Note: this config can only be used when the client IP addresses are unique. This does not work for Terminal Servers for example.

 

Here is the required OpenText configuration:

You have to add a new profile and choose "Blue Coat HTTP" as authentication type:

 

 

 

As you can see, the SOCKS client connects to the HTTP proxy for IWA (NTLM to be more specific) authentication. The default refresh time is 900 seconds.

By default, the SOCKS client makes a request to the proxy IP address for authentication (using the explicit proxy settings you can see in the above screenshot). It does not request a webpage "behind" the ProxySG.

This is not the best way for authentication. It is recommended to configure a URL "behind" the ProxySG. Unfortunately this can not be done in the SOCKS client GUI. You have to open the profile with a text editor.

Then you can add the line "HttpProxyUrlRequest=http://www.google.com". Have a look at the following screenshot, the position of this line is very important:

 

 

 

(Note: the screenshot shows a refresh time of 60 seconds and the GUI 900 seconds. The profile screenshot has been taken later, with another profile config...)

 There is one thing to keep in mind: if you manually clear the credential cache or if you install a new policy, SOCKS communication fails until the SOCKS client refreshes the HTTP authentication. You also could restart the client for re-authentication.