locked
TMG basic auth via SSL RRS feed

  • Question

  • Hi everyone,

    i try to configure a tmg server to be the proxy for mobile users.

    Notes:

    Mobile Users should use the company proxy for webbrowsing when they are outside the company and when they are not connected via VPN.

    Is there a way to use TMG and basic auth in combination with SSL ?

    I do not want to use just basic auth or just digest auth.

    I am looking for an ssl secured auth mechanism, because client aut via cert is not possible with 

    an no upstream server TMG environment.

    kind regards

    gerry

     

    Tuesday, June 22, 2010 5:10 PM

Answers

  • If I understand you correctly you want mobile users that are external to your network to use TMG as their proxy? Unless you are using TMG in a single NIC scenario you will not have the option to even do this as the External network doesn't have a proxy option. I am assuming you are using single NIC and forwarding the traffic to TMG from an external Firewall.

    The only options for Web Proxy Authentication are Digest, Integrated, Basic, SSL Certificate and RADIUS. SSL Client Certificate would be the only secure method over the Internet.

    Let me know if I misunderstood you.

    Tuesday, June 22, 2010 10:07 PM
    Answerer

All replies

  • If I understand you correctly you want mobile users that are external to your network to use TMG as their proxy? Unless you are using TMG in a single NIC scenario you will not have the option to even do this as the External network doesn't have a proxy option. I am assuming you are using single NIC and forwarding the traffic to TMG from an external Firewall.

    The only options for Web Proxy Authentication are Digest, Integrated, Basic, SSL Certificate and RADIUS. SSL Client Certificate would be the only secure method over the Internet.

    Let me know if I misunderstood you.

    Tuesday, June 22, 2010 10:07 PM
    Answerer
  • Hello,

    thanks for the answer!

    > I am assuming you are using single NIC and forwarding the traffic to TMG from an external Firewall.

    This is correct.

    Regarding to this MS dokument http://technet.microsoft.com/en-us/library/cc441695.aspx

    it seems that i am not able to implement an secure auth mechanism in my environment for web access, because there is no upstream proxy available.

    I just tought there is maybe a trick to use SSL and basic or integrated auth. 

    kind regards

    gerry  

     

    Wednesday, June 23, 2010 9:32 AM
  • Edit: I see this is old.. I'm just now updating my RSS links to the new values so I'm seeing old posts as new.  Sorry for bumping an old thread.  Anyway, I'll leave the content in case it's useful.:

     

    A possible idea: Although Captivate authentication is usually used to associate internal SecureNAT client IP addresses with users, you could use a similar configuration to bounce external clients through an SSL logon page.

    Before you jump for joy though, I have to say that whether this is useful or sufficient to you depends very much on your requirements.  Since there's no way to apply a "cookie" to be returned for the entire internet, the best you can do is block by IP address until that IP has been through the authentication.  After that, any traffic from that IP is assumed to be OK for a specified duration.

    So it's a reasonable way to make it hard for anonymous losers to utilize your proxy.  But it's not good to track users with good granularity and be sure all traffic is tagged to the right user.  Make sense?

    It is not a very ideal way to do authentication, but that's because it's a hard technical problem to solve given the limitations of HTTP, browser, and proxy authentication design and implementations.  This is also why there are no better ways to authenticate in TMG.  A sensible approach would be if browsers supported an SSL tunnel to the proxy, but alas this is not how they were designed.

    • Edited by f3rrix Friday, October 1, 2010 11:31 PM (Oops, bumping old thread)
    Friday, October 1, 2010 11:30 PM