Question: 

I have a back end server behind my CA Secure Gateway Proxy which requires NTLM authentication - how do I configure CA Secure Gateway to access these NTLM protected resources ? 

Environment:  

    All ( linux, windows, Solaris)

Answer: 

The setting you need for passing the NTLM Authenticate request from the backend onto the user is the following setting in the proxyrules.xml forward directive to that specific backend server : 

<forward connection-auth="yes">http://backend.example.com$0</forward>

This will then propagate the normal HTML authenticate headers straight through as normal proxied request, and pass it to the user.  The user's browser will then fill out the details and send the Authenticate response through the proxy to the backend server.   If the backend sever accepts the NTLM credentials then the user will be given access to the resource.

Additional Information:
  

The reason you need the extra setting is because of the way NTLM authentication works.   When NTLM is used then NTLM autheticates the "connection" as belonging to the user.  So any other requests going down that socket to the backend are considered as also being from the same (authenticated) user.

Obviously that is a real problem for a proxy if you are trying to run a pool of connections to the backend and want to pass different requests from different users along the same pool of connections.    Adding connection-auth="yes" means it will not use the normal backend pool of connections, but will use the connection oriented pool, which maintains individual sockets per authenticated user :

<connection-pool name="connection oriented authentication">

    connection-timeout="10 seconds"

    max-size="200"

    enabled="yes"

</connection-pool>

You can keep track of the number of currently open connections via the netstat -an command.