Jump to content


Photo

Webfilter authentification with Windows Server 2008 R2


This topic has been archived. This means that you cannot reply to this topic.
8 replies to this topic

#1 fbeaudoin

fbeaudoin
  • Members
  • 4 posts

Posted 02 October 2009 - 03:48 PM

Hi,We are currently migrating to Windows Server 2008 R2. We are using a terminal server environment with some laptops. NTLM can't be used and need to be replaced by something else. Webfilter is configured as a proxy.What's the best way to do the authentication for users under TS?

#2 Erik

Erik
  • Barracuda Team Members
  • 27 posts

Posted 03 October 2009 - 10:59 AM

Hello Fbeaudoin,If NTLM is not an option, then perhaps you may want to try using Kerberos. The following solution can be found here: http://www.barracuda...50160000000Ha99

#3 fbeaudoin

fbeaudoin
  • Members
  • 4 posts

Posted 05 October 2009 - 01:28 PM

I already tried this how to and it doesn't work. When I do an user search in exception, I can't find anything. When I tried to go on the web with a authentificated user it always popup the login screen.What's the best way to go if I want to use webfilter to be able to have both TS and computer go through the filter?I was thinking about mix mode and put the webfiler inline. Authentification by LDAP with DC Agent if it work with TS.

#4 trbbhm

trbbhm
  • Members
  • 2 posts

Posted 07 October 2009 - 01:45 PM

I would be very interested in the approach that you end up using, as I have the same situation and am currently using LDAP with DC Agent, but I am getting erroneous reports. Basically what is happening (accdg to Barracuda support) is that a person may log in today but not even have their computer on tomorrow. if another person logs in tomorrow, and happens to get the same IP address from the DHCP server, then all of their internet activity is recorded as if it was done by the first person (who's not even in the building).Support installed a script that basically logs everyone out of the webfilter at 3:00 every morning so that when they log in, their usage data is fresh from the start.I would have thought that the webfilter would integrate with Active Directory better than this.

#5 jheadmin

jheadmin
  • Members
  • 1 posts

Posted 19 October 2009 - 09:44 AM

Why can't you use NTLM? We are using NTLM and the forward proxy and it works quite well for all of our TS users. This is the only solution I have found that works for TS authentication. Supposedly, the 4.2 firmware is coming soon with stable dual authentication mode, NTLM for TS users and LDAP/DC Agent for everyone else.

#6 Greta Moore

Greta Moore
  • Members
  • 0 posts

Posted 19 November 2009 - 10:32 AM

I would be interested as well, since we updated the firmware we've had nothing but problems with authentication, we've lost the history of the web logs and the content filter completely abandoned us. We have the content filter working correctly, somewhat but with the new firmware and updated dc agent we have no authentication...in fact the dc agent isn't even working.

#7 Charlotte

Charlotte
  • Barracuda Team Members
  • 0 posts

Posted 25 May 2010 - 10:17 AM

NTLM and Kerberos both work well for TS environments. Should you need assistance in setting these up, please do not hesitate to contact our tech support team./best CD

#8 Joerg Eberwein

Joerg Eberwein
  • Members
  • 0 posts

Posted 19 January 2011 - 10:21 AM

I have the same Problem here. Windows 2008 R2 Domain with same Domain Level. i tried NTLM and kerberos but none of the tested authentication worked here. I think you need a new WhitePaper if it really work. But I don't think so. P.S. DC-Agent is no Option if you have Domaincontroller around Europe.GreetingJoerg

#9 Joerg Eberwein

Joerg Eberwein
  • Members
  • 0 posts

Posted 16 June 2011 - 02:53 AM

I had a same Problem with kerberos like you told on the forum. My Problem was the useraccount i have used in the Active Directory. The first Time you make a Active Directory connect the useraccount ist bundled with a SPN Service. So the best way ist to delete the Service/User Account in the Active Directory and create a new one. So the new Service Account has not SPN bundled. (Sorry for my bad english)
After that you can make a new connect with the barracuda to the Active Directory
Realm: Windows Domain Name bsp. "contoso.com"
KDC: Domain Controller
username: the new Username/account
password:
advanced options ... you normaly dont need this options
keytab ... i dont have used this with out win 2008 r2 domain controllers ... this makes the cuda by herself
short domain name ... if the domain has another name like the fqdn you have to enter this (fqdn = contoso.com, netbios name = ms.local)

I hope this helps you
wish you a nice day

Jörg Eberwein