When the Symantec Web Gateway (SWG) 5.0.x is configured in proxy mode and for NTLM 407 authentication, users experience brief periods where they receive the blocked page. The SWG administrator may also notice end user machines reported under the wrong policy group within the Reports of SWG.
Affects SWG 5.0.2 and 5.0.3
This issue appears to be caused by a bug in the Symantec Web Gateway's LDAP module.
Randomly throughout the day when the Web Gateway attempts to authenticate a user with the Domain Controller the authentication does not occur correctly. The LDAP module of SWG does not log an LDAP authentication failure, and therefore a retry does not occur. Instead, SWG treats the failure as if it was a successful authentication, even though the LDAP module does not associate the user with the IP address of the users machine. Because we do not associate the user with his/her machine's IP address, the Policy Manager component of SWG applies the default policy, instead of the correct policy containing the user. Typically, the next user authentication is successful, and the Web Gateway will begin apply the correct policy to that users request again.
SWG5.0.3 resolved this issue where the cause is an empty username was received by SWG which fell into the default policy and eventually end user received the blocking page. Please upgrade to SWG5.0.3 to determine whether this eliminates all behaviour of this type within your environment.
The following partial workarounds may decrease end user impact:
NOTE: It is not recommended to set TTL to zero. A shorter TTL time also results in an increased load on the Web Gateway. Setting the Authentication TTL to 0 will cause the Web Gateway to re-authenticate on every request.
If symptoms persist, please contact support for further assistance.
Symantec Web Gateway 5.0.2 / 5.0.3 in Proxy mode and NTLM 407 Authentication