TECHNICAL BRIEF

Symantec ProxySG
Enabling NTLM Authentication

What is NTLM Authentication?

NTLM is a Microsoft-proprietary protocol that authenticates users and computers based on an authentication challenge and response. When
an IWA realm is used and a resource is requested, the Symantec ProxySG appliance contacts the user or computer’s account domain to verify
identity and requests an access token. The access token is generated by the domain controller and passed to (and if valid, accepted by) the
appliance. (Refer to Microsoft’s Web site for detailed information about the NTLM protocol and a list of Microsoft operating system versions
that support NTLM.) The advantage of NTLM authentication is that it provides a single sign-on solution for Internet Explorer users who are
already logged in to a domain.

Why Enable NTLM Authentication with ProxySG?

The ProxySG Series appliance offers the capability to authenticate users defined in an NTLM database thereby utilizing an enterprises’
existing authentication mechanism through the ProxySG appliance. An administrator can know who is accessing network resources and
define user/groupbased policy to control access to web content and web applications.

How to implement NTLM authentication

There are four steps to implement authentication services:
1. Install the Blue Coat NTLM Authentication Agent Service.
2. Create an IWA Realm.
3. Enable NTLM authentication through the Visual Policy Manager and create policybased on user and group identification.
4. Test NTLM policy.

Step 1 – Install the Blue Installing the ProxySG NTLM

Authentication Agent Service (BCAAA)
Coat NTLM Authentication 1. Unzip and copy the files bcaaa.exe to the %SystemRoot%\

Agent Service system32 directory of the computer used as the domain

The Blue Coat NTLM Authentication Agent Service must be
installed on a PDC or BDC or a member server/workstation
Windows NT/2000 Server. The Blue Coat NTLM Authentication
Agent (BCAAA) is a Windows NT/2000-compatible application that
aids in integrating and managing NTLM security with the ProxySG
appliance. A copy of the latest agent can be obtained by going to the
following URL and locating the BCAAA Agent download:
controller.
2. Install the BCAAA service by opening a command window,
switching to the %SystemRoot%\system32 directory, and typing
bcaaa /install.
3. View the Services Application Event Log via the Windows
Server Administrator Tools and validate that the BCAAA
Service is running.

https://bto.bluecoat.com/download/

Save the .Zip file to the server where you intend to install the agent.
To view the Application event log:
The BCAAA service logs all errors to the Windows NT/2000
Application Event Log under the name BCAAA.
1. To view the event log, right click on My Computer and choose
Manage. The ComputerManagement window is displayed.
2. Choose System Tools, Event Viewer, and then Application.
When the BCAAA service has started it will log an
informational message to the Event Log.

To view the Services event log:

The BCAAA service logs all errors to the Windows NT/2000
Application Event Log under the name BCAAA.
4. Select the IWA Servers tab to enable SSL from the ProxySG
1. To view the event log, right click on My Computer and choose
to the NTLM server and if you want the ProxySG to verify the
Manage. The Computer Management window is displayed.
NTLM’s certificate. A valid certificate must exist for the NTLM
2. Choose Services and Applications, then Services. server. Click Apply to save any changes.
3. Right-click on CASSNT and choose Properties to manage the
service. For example, to make CASSNT start only manually, set
the Startup Type to Manual. (Automatic is the default setting.)

Step 2 – Create an IWA

Realm
Create a realm using the ProxySG GUI Management Console, select
the Authentication Option and then select the IWA tab.
1. Click the New button. The IWA Realm dialog is displayed. Type
in NTLM (or any other name) as the Realm name.
2. Specify the IP address and port for the primary NTLM server
that the BCAAA Agent Service is running. The default port is
16101. Click on OK.
3. Click Apply to save your changes. Repeat the above steps for 5. Select the IWA General tab to allow Basic credentials, NTLM
additional NTLM servers, up to a total of 50. credentials, or both. Consult your corporate security policy for
this information.
6. Credentials are cached by default for 900 seconds. This
parameter can be adjusted to comply with your companies
security rules.
7. If you are using Transparent Authentication with NTLM, see
the TechBrief “Enabling Transparent Authentication” for more
details.

TECHNICAL BRIEF | SYMANTEC PROXYSG 02

Step 3 - Enable IWA Realm
Authentication Policy 5. Click on Install Policy to compile and load Policy.
1. Open the Visual Policy Manager (VPM) and create a new Web
authentication layer by selecting edit from the tool bar, and
choosing Add Web Authentication Layer.
Step 4 - Test NTLM Policy
The first test is to ensure that the NTLM directory is visible from
the client through the ProxySG to the directory server. The ProxySG
provides the means to view users and groups in a directory without
the need to install additional client software.
1. Create a Web access layer, select Source and then Set. Click on
New. Select User or Group from the dropdown list.

2. Accept the default name (Web Authentication Layer (1) or give

it a new name. Click OK.

3. On the Action field, right click and click on authenticate.

4. A pop-up window will display the newly created NTLM (IWA) 2. Select the newly created NTLM (IWA) realm from the
realm, click on OK, twice. dropdown menu and click on Browse.

TECHNICAL BRIEF | PROXYSG 03

 Test NTLM Authentication by opening up an Internet Explorer
browser and configuring the proxy settings of the browser to point
to the ProxySG IP address and port 80. Refresh the browser and
you will be prompted to enter a valid user name and password
credentials prior to accessing any Web site.

Conclusion
The ProxySG can be quickly configured to utilize an existing
NTLM authentication system. The first step is to create an
NTLM (IWA) authentication realm and configure it to match your
company’s security requirements. The next step is to define a Web
Authentication layer using the Visual Policy Manager. Using the
VPM you can view the contents of your directory to verify proper
configuration. With the policy enabled, your users will then be
prompted to enter their NTLM credentials before accessing any web
site. The policy can be adjusted to only prompt certain users and
when certain destinations are requested as well.

3. A successful configuration will display the directory

information including users and groups. If the directory
(NTLM) users and groups are not visible, there is a
misconfiguration. Verify that the IP address configured is
correct for the directory server you are attempting to contact.

About Symantec
Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company, helps organizations, governments and people secure their most important data wherever it
lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure.
Likewise, a global community of more than 50 million people and families rely on Symantec’s Norton and LifeLock product suites to protect their digital lives at home and
across their devices. Symantec operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For
additional information, please visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.

350 Ellis St., Mountain View, CA 94043 USA | +1 (650) 527 8000 | 1 (800) 721 3934 | www.symantec.com

Copyright ©2017 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered SYMC_TB_ProxySG_NTLM_EN_v1
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.