• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1152
  • Last Modified:

Cannot understand Microsoft's Recommendation for Outlook Anywhere - "NTLM authentication over Secure Sockets Layer (SSL)"

here is an Microsoft statement which I don't understand:
"If you are using a firewall that does not handle NTLM, you will have to use Basic authentication over SSL"

Question: Why the firewall needs to handle NTLM? it's just an authentication method, not a netowrk transfer protocal like RPC or SMTP with a tcp port binding to. Shouldn’t Firewall handle SSL be sufficient? SSL encrypted the traffic in SSL tunnel from CAS server end to Outlook client end, shouldn’t it pass through the firewall if the firewall has been told to pass SSL traffic? why has anything to do with NTLM? I am confused, Please help.

thanks in advance,
Jerry
0
JerryJay
Asked:
JerryJay
  • 4
  • 3
5 Solutions
 
mlongohCommented:
Microsoft offers a Firewall product ISA which, of course, supports NTLM authenticaion - which is part of their reverse proxy feature.  Thus the statement.
0
 
mlongohCommented:
The firewall doesn't need to handle NTLM, and in most cases a true firewall won't.  Thus basic authentication which is encrypted in an SSL tunnel is the alternative which really is most broadly used.  I'm assuming that your referencing Outlook and Exchange's ability to communicate over SSL - it used to be called RPC over HTTPS.
0
 
Coast-ITCommented:
mlongohs statement is even more confuusing ;-)

Most firewalls don't support NTLM, yet I have managed to configure RPC over HTTPS on more than several occasions through lots of different firewalls, such as ISA, Netgear, Cisco, Draytek, Sonicwall.

So you are right, the comment doesn't make sense.

All I can say is NTLM authenication works through most if not all firewalls (unless you block it somehow using port filtering on ISA for instance), even though the firewalls don't support NTLM..

Weird?
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
mlongohCommented:
Coast-IT I'm saying that the statement implies that a firewall should be able to handle NTLM authentication when in reality most do not, but Microsoft's ISA product does.  The company making the statement is referencing their firewall product's capability as if it's common place.

However in reality (not Microsoft's marketing perception), most of the time RPC over HTTPS is the preferred and implemented approach.
0
 
JerryJayAuthor Commented:
thank you all, very helpful info provided.
0
 
JerryJayAuthor Commented:
it NTLM has anything to do with firewall, then there must be a TCP/UDP port associating with it. if there is, what is it?

thanks,
Jerry
0
 
mlongohCommented:
By default NTLM authentication uses dynamic ports, so to allow authentication traffic to pass through would require some registry changes on the "servers" to force the ports to be static.

That aside, my belief is still that the statement in question refers to MS ISA's ability to do NTLM authentication and then pass that authentication back through to the server whose services are being requested.  For example, in an Exchange 2003 environment, they introduced the concept of using Outlook to access the server through the Internet via an SSL tunnel - this works great.  However, with ISA, you don't have to go that route.  If you wanted to (I would never recommend it), you could configure an ISA server to receive the unencrypted RPC traffic and send it inside to the Exchange server.  In this scenario, the ISA server can prompt for and handle NTLM authentication (it's not routing the authentication through, it's handling the authentication task before routing the RPC traffic through).

So, when the statement was written by Microsoft, I think they were referencing their firewall product's unique ability to handle NTLM authentication, or more to the point every other firewall's "inability" to do it.

Without the ability to handle NTLM authentication (not authentication traffic but the actual task of authentication), then you should use SSL.

That's my interpretation.
0
 
JerryJayAuthor Commented:
Thank you all, very helpful info.

Jerry
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now