Trouble with Per-Connection Direct Proxy Authentication

Question

Trouble with Per-Connection Direct Proxy Authentication 
 I can&rsquo;t seem to get the long-awaited per-connection direct proxy authentication working. I have added TCP/3128 to the list of services in my general Web Access firewall rule (along with HTTP/HTTPS). I have enabled &ldquo;Use per-connection AD SSO authentication for multi-user hosts&rdquo; under Authentication and listed my terminal servers. I have successfully uninstalled SATC from one of my terminal servers and enforced use of the proxy at the machine level (enforced through GPO). 
 According to what I can see, proxy authentication appears to be working correctly. Terminal server users who attempt to access webpages are correctly listed under &ldquo;Live Users&rdquo; with the type &ldquo;Multi-host client&rdquo; from the IP address and session id of the terminal server. However, those same terminal server users only ever receive the web policy filter &ldquo;blocked&rdquo; message when accessing any site, even those sites explicitly permitted by the assigned custom web policy. Firewall logs show that user-generated web traffic from the terminal server is matching my intended firewall rule (rule #2). But, when I look at the web filter logs, it shows that it is applying the web policy &ldquo;Deny All,&rdquo; even though the firewall rule (rule #2) has a &ldquo;Custom&rdquo; web policy applied. 
 To be clear, I have both HTTP/HTTPS and TCP/3128 set under Destination Services in my standard Web Access firewall rule (rule #2). My intent is to operate in &ldquo;hybrid&rdquo; mode and allow standard windows desktop clients to continuing using transparent proxy and authenticate via STAS. Terminal server users would to use direct proxy and authenticate via proxy auth (in lieu of the now depreciated SATC). This appears to be almost working and traffic from both transparent proxy clients and direct proxy clients is correctly matching the same firewall rule. But, the web policy for the direct proxy clients is wrong! It&rsquo;s as if the direct proxy traffic ignores the applied firewall rule web filtering policy. 
 Transparent HTTP/HTTPS >> Web Access Firewall Rule (#2) >> Custom web access policy (#13) >> All good. 
 Direct Proxy 3128 >> Web Access Firewall Rule (#2) >> Deny All web access policy (#2) >> No bueno. 
 Please advise.

RichBaldry · Accepted Answer

In normal use (before per-connection authentication) setting the web policy to "2" is part of how the firewall component signals to the web proxy that it should do the regular NTLM/Kerberos or Captive Portal authentication for the connection. It happens when the firewall believes it needs to know user identity to match a rule, but the user identity is not known. After the first authentication, the firewall remembers the user/IP association and treats subsequent connections as already authenticated. 
 With per-connection authentication, the firewall component doesn't know who the user is at connection time, because the authentication won't happen until the proxy sees the connection and challenges the browser for authentication. 
 It looks like you have "Match known users" and/or "Use web authentication for unknown users" set on both these firewall rules - the first screenshot doesn't show it directly, but the "Identity" section in the Summary suggests this is the case. 
 It's not necessary to enable either of these when using per-connection authentication. The firewall component will never be able to do anything based on user ID traffic from for per-connection auth hosts. Could you please try unchecking them and see if that helps. 
 If that does help, please let me know. We should probably find a way to make this more obvious or less consequential (i.e. document it better, or change the firewall behaviour for multi-user host IPs). 
 On this basis, it is most likely that you will have to have two separate firewall rules - one for the multi-user hosts (where you should specify those hosts in the 'Source' part of the rule) and another for regular endpoints using transparent mode auth.

Trouble with Per-Connection Direct Proxy Authentication

Top Replies