What is the difference between NTLM and DCINTERFACE authentication methods for Symantec Web Gateway?

 

Symantec Web Gateway can gather user information for reporting and policy enforcement using either NTLM or Dcinterface. Additionally, NTLM allows the user session to be authenticated using Active Directory.

NOTE: SWG can only use one of the these methods at a time. Attempts to configure both may initially appear successful, but will result in abnormal policy behavior.


NTLM

• When you configure the Administration> Configuration> Authentication page to use NTLM, SWG requests that the web browser supply the logged in users information.
• SWG Engineering certified NTLM authentication for use with up to 10,000 users using NTLM v1 (or NTLMv2 for proxy modes) authentication.
• After receiving credentials from the browser, SWG uses NTLM to authenticate aginst the Domain controller with the credentials the browser supplied.
• Provides both Identification and Authentication services.

How it works in practice:

1. SWG Administrator creates an Authentication policy set to Ignore, Authenticate no Enforce or Enforce.
2. The SWG connects routinely to the DC to obtain all known users LDAP group information.
3. User connects to the Internet site via the proxy.
4. Users browser receives an NTLM challenge from the Web Gateway.
5. Users browser responds transparently with a hash of the users credentials.
6. The Web Gateway connects to Domain Controller (noted in LDAP settings) to verify credentials.
7. If verification succeeds, policies are applied according to LDAP information.
8. In the event that the NTLM process is not working correctly, or the users LDAP information is not yet known, the SWG will apply the next IP based policy or the default policy.

DCINTERFACE

• When you configure the Administration> Configuration> Authentication page to use dcinterface, and you install and configure the dcinterface software on a Domain Controller or workstation, the dcinterface software forwards log entries to SWG which show successful domain logons.
• SWG Engineering certified DCINTERFACE for use with up to 5,000 users running Windows 2003 or Windows 2008 Domain controllers.
• This process is CPU intensive for both the Domain Controller and the Symantec Web Gateway server.
• The dcinterface software forwards Eventid 540 and Eventid 672 from the Security Log of Windows Event Viewer for Windows 2003 domains.
• Starting with SWG4.5.2.72 and dcinterface4.5.3, the dcinterface software forwards Eventid 4624 and 4768 from the Security Log of Windows Event Viewer for Windows 2008 domains.
• Provides only user identification service.

How it works in practice:

1. The SWG connects routinely to the DC to obtain all known users LDAP group information.
2. User logs on to computer.
3. DCInterface agent on DC detects logon event and sends user details and IP address to SWG.
4. User connects to Internet.
5. SWG matches connecting IP address to user with information received from DCInterface.
6. SWG obtains LDAP group membership information from DC.
7. SWG applies appropriate policy based on LDAP information.
8. In the event that no matching logged on Domain User is identified, the SWG will apply the next IP based policy or the default policy.

Windows 2008 support for DC Interface was added starting with Version 4.5.3 of DCINTERFACE and was included in Symantec Web Gateway version 4.5.2.72.

References
 

For more information see Chapter 6 of the Symantec Web Gateway Implementation Guide. The Guide is available here:
http://www.symantec.com/business/support/documentation.jsp?language=english&view=manuals&pid=58161