Solved

Cannot understand Microsoft's Recommendation for Outlook Anywhere - "NTLM authentication over Secure Sockets Layer (SSL)"

Posted on 2010-09-01
8
1,149 Views
Last Modified: 2012-06-21
here is an Microsoft statement which I don't understand:
"If you are using a firewall that does not handle NTLM, you will have to use Basic authentication over SSL"

Question: Why the firewall needs to handle NTLM? it's just an authentication method, not a netowrk transfer protocal like RPC or SMTP with a tcp port binding to. Shouldn’t Firewall handle SSL be sufficient? SSL encrypted the traffic in SSL tunnel from CAS server end to Outlook client end, shouldn’t it pass through the firewall if the firewall has been told to pass SSL traffic? why has anything to do with NTLM? I am confused, Please help.

thanks in advance,
Jerry
0
Comment
Question by:JerryJay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
mlongoh earned 400 total points
ID: 33576272
Microsoft offers a Firewall product ISA which, of course, supports NTLM authenticaion - which is part of their reverse proxy feature.  Thus the statement.
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
ID: 33576295
The firewall doesn't need to handle NTLM, and in most cases a true firewall won't.  Thus basic authentication which is encrypted in an SSL tunnel is the alternative which really is most broadly used.  I'm assuming that your referencing Outlook and Exchange's ability to communicate over SSL - it used to be called RPC over HTTPS.
0
 
LVL 11

Assisted Solution

by:Coast-IT
Coast-IT earned 100 total points
ID: 33576298
mlongohs statement is even more confuusing ;-)

Most firewalls don't support NTLM, yet I have managed to configure RPC over HTTPS on more than several occasions through lots of different firewalls, such as ISA, Netgear, Cisco, Draytek, Sonicwall.

So you are right, the comment doesn't make sense.

All I can say is NTLM authenication works through most if not all firewalls (unless you block it somehow using port filtering on ISA for instance), even though the firewalls don't support NTLM..

Weird?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
ID: 33576373
Coast-IT I'm saying that the statement implies that a firewall should be able to handle NTLM authentication when in reality most do not, but Microsoft's ISA product does.  The company making the statement is referencing their firewall product's capability as if it's common place.

However in reality (not Microsoft's marketing perception), most of the time RPC over HTTPS is the preferred and implemented approach.
0
 

Author Comment

by:JerryJay
ID: 33614999
thank you all, very helpful info provided.
0
 

Author Comment

by:JerryJay
ID: 33615041
it NTLM has anything to do with firewall, then there must be a TCP/UDP port associating with it. if there is, what is it?

thanks,
Jerry
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
ID: 33626686
By default NTLM authentication uses dynamic ports, so to allow authentication traffic to pass through would require some registry changes on the "servers" to force the ports to be static.

That aside, my belief is still that the statement in question refers to MS ISA's ability to do NTLM authentication and then pass that authentication back through to the server whose services are being requested.  For example, in an Exchange 2003 environment, they introduced the concept of using Outlook to access the server through the Internet via an SSL tunnel - this works great.  However, with ISA, you don't have to go that route.  If you wanted to (I would never recommend it), you could configure an ISA server to receive the unencrypted RPC traffic and send it inside to the Exchange server.  In this scenario, the ISA server can prompt for and handle NTLM authentication (it's not routing the authentication through, it's handling the authentication task before routing the RPC traffic through).

So, when the statement was written by Microsoft, I think they were referencing their firewall product's unique ability to handle NTLM authentication, or more to the point every other firewall's "inability" to do it.

Without the ability to handle NTLM authentication (not authentication traffic but the actual task of authentication), then you should use SSL.

That's my interpretation.
0
 

Author Closing Comment

by:JerryJay
ID: 33653628
Thank you all, very helpful info.

Jerry
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question