Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cannot understand Microsoft's Recommendation for Outlook Anywhere - "NTLM authentication over Secure Sockets Layer (SSL)"

Posted on 2010-09-01
8
Medium Priority
?
1,151 Views
Last Modified: 2012-06-21
here is an Microsoft statement which I don't understand:
"If you are using a firewall that does not handle NTLM, you will have to use Basic authentication over SSL"

Question: Why the firewall needs to handle NTLM? it's just an authentication method, not a netowrk transfer protocal like RPC or SMTP with a tcp port binding to. Shouldn’t Firewall handle SSL be sufficient? SSL encrypted the traffic in SSL tunnel from CAS server end to Outlook client end, shouldn’t it pass through the firewall if the firewall has been told to pass SSL traffic? why has anything to do with NTLM? I am confused, Please help.

thanks in advance,
Jerry
0
Comment
Question by:JerryJay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
mlongoh earned 1600 total points
ID: 33576272
Microsoft offers a Firewall product ISA which, of course, supports NTLM authenticaion - which is part of their reverse proxy feature.  Thus the statement.
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 1600 total points
ID: 33576295
The firewall doesn't need to handle NTLM, and in most cases a true firewall won't.  Thus basic authentication which is encrypted in an SSL tunnel is the alternative which really is most broadly used.  I'm assuming that your referencing Outlook and Exchange's ability to communicate over SSL - it used to be called RPC over HTTPS.
0
 
LVL 11

Assisted Solution

by:Coast-IT
Coast-IT earned 400 total points
ID: 33576298
mlongohs statement is even more confuusing ;-)

Most firewalls don't support NTLM, yet I have managed to configure RPC over HTTPS on more than several occasions through lots of different firewalls, such as ISA, Netgear, Cisco, Draytek, Sonicwall.

So you are right, the comment doesn't make sense.

All I can say is NTLM authenication works through most if not all firewalls (unless you block it somehow using port filtering on ISA for instance), even though the firewalls don't support NTLM..

Weird?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 1600 total points
ID: 33576373
Coast-IT I'm saying that the statement implies that a firewall should be able to handle NTLM authentication when in reality most do not, but Microsoft's ISA product does.  The company making the statement is referencing their firewall product's capability as if it's common place.

However in reality (not Microsoft's marketing perception), most of the time RPC over HTTPS is the preferred and implemented approach.
0
 

Author Comment

by:JerryJay
ID: 33614999
thank you all, very helpful info provided.
0
 

Author Comment

by:JerryJay
ID: 33615041
it NTLM has anything to do with firewall, then there must be a TCP/UDP port associating with it. if there is, what is it?

thanks,
Jerry
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 1600 total points
ID: 33626686
By default NTLM authentication uses dynamic ports, so to allow authentication traffic to pass through would require some registry changes on the "servers" to force the ports to be static.

That aside, my belief is still that the statement in question refers to MS ISA's ability to do NTLM authentication and then pass that authentication back through to the server whose services are being requested.  For example, in an Exchange 2003 environment, they introduced the concept of using Outlook to access the server through the Internet via an SSL tunnel - this works great.  However, with ISA, you don't have to go that route.  If you wanted to (I would never recommend it), you could configure an ISA server to receive the unencrypted RPC traffic and send it inside to the Exchange server.  In this scenario, the ISA server can prompt for and handle NTLM authentication (it's not routing the authentication through, it's handling the authentication task before routing the RPC traffic through).

So, when the statement was written by Microsoft, I think they were referencing their firewall product's unique ability to handle NTLM authentication, or more to the point every other firewall's "inability" to do it.

Without the ability to handle NTLM authentication (not authentication traffic but the actual task of authentication), then you should use SSL.

That's my interpretation.
0
 

Author Closing Comment

by:JerryJay
ID: 33653628
Thank you all, very helpful info.

Jerry
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question