Solved

Cannot understand Microsoft's Recommendation for Outlook Anywhere - "NTLM authentication over Secure Sockets Layer (SSL)"

Posted on 2010-09-01
8
1,147 Views
Last Modified: 2012-06-21
here is an Microsoft statement which I don't understand:
"If you are using a firewall that does not handle NTLM, you will have to use Basic authentication over SSL"

Question: Why the firewall needs to handle NTLM? it's just an authentication method, not a netowrk transfer protocal like RPC or SMTP with a tcp port binding to. Shouldn’t Firewall handle SSL be sufficient? SSL encrypted the traffic in SSL tunnel from CAS server end to Outlook client end, shouldn’t it pass through the firewall if the firewall has been told to pass SSL traffic? why has anything to do with NTLM? I am confused, Please help.

thanks in advance,
Jerry
0
Comment
Question by:JerryJay
  • 4
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
mlongoh earned 400 total points
ID: 33576272
Microsoft offers a Firewall product ISA which, of course, supports NTLM authenticaion - which is part of their reverse proxy feature.  Thus the statement.
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
ID: 33576295
The firewall doesn't need to handle NTLM, and in most cases a true firewall won't.  Thus basic authentication which is encrypted in an SSL tunnel is the alternative which really is most broadly used.  I'm assuming that your referencing Outlook and Exchange's ability to communicate over SSL - it used to be called RPC over HTTPS.
0
 
LVL 11

Assisted Solution

by:Coast-IT
Coast-IT earned 100 total points
ID: 33576298
mlongohs statement is even more confuusing ;-)

Most firewalls don't support NTLM, yet I have managed to configure RPC over HTTPS on more than several occasions through lots of different firewalls, such as ISA, Netgear, Cisco, Draytek, Sonicwall.

So you are right, the comment doesn't make sense.

All I can say is NTLM authenication works through most if not all firewalls (unless you block it somehow using port filtering on ISA for instance), even though the firewalls don't support NTLM..

Weird?
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
ID: 33576373
Coast-IT I'm saying that the statement implies that a firewall should be able to handle NTLM authentication when in reality most do not, but Microsoft's ISA product does.  The company making the statement is referencing their firewall product's capability as if it's common place.

However in reality (not Microsoft's marketing perception), most of the time RPC over HTTPS is the preferred and implemented approach.
0
 

Author Comment

by:JerryJay
ID: 33614999
thank you all, very helpful info provided.
0
 

Author Comment

by:JerryJay
ID: 33615041
it NTLM has anything to do with firewall, then there must be a TCP/UDP port associating with it. if there is, what is it?

thanks,
Jerry
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
ID: 33626686
By default NTLM authentication uses dynamic ports, so to allow authentication traffic to pass through would require some registry changes on the "servers" to force the ports to be static.

That aside, my belief is still that the statement in question refers to MS ISA's ability to do NTLM authentication and then pass that authentication back through to the server whose services are being requested.  For example, in an Exchange 2003 environment, they introduced the concept of using Outlook to access the server through the Internet via an SSL tunnel - this works great.  However, with ISA, you don't have to go that route.  If you wanted to (I would never recommend it), you could configure an ISA server to receive the unencrypted RPC traffic and send it inside to the Exchange server.  In this scenario, the ISA server can prompt for and handle NTLM authentication (it's not routing the authentication through, it's handling the authentication task before routing the RPC traffic through).

So, when the statement was written by Microsoft, I think they were referencing their firewall product's unique ability to handle NTLM authentication, or more to the point every other firewall's "inability" to do it.

Without the ability to handle NTLM authentication (not authentication traffic but the actual task of authentication), then you should use SSL.

That's my interpretation.
0
 

Author Closing Comment

by:JerryJay
ID: 33653628
Thank you all, very helpful info.

Jerry
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question