Web Proxy - Authentication (NTLM)

Version 2.5

Applies to Platform: UTM 2.4, UTM 2.5
Last Update: 28 April 2011


If you are using an appliance equipped with the more recent 3.0 or 5.0 version, please refer to this article.

This lesson will illustrate the necessary steps to configure a more advanced web proxy with Microsoft Active Directory (NTLM) integration on a typical Endian appliance. Using this form of the web proxy, we can use already existing Active Directory groups and users to create filtering profiles for different levels of web access.


The use of Active Directory (NTLM) based authentication is the only way to achieve a "Single Sign-On" solution where users do not have to re-authenticate to the browser. In other words, when a user logs into their machine they are also authenticated for the web proxy automatically.

Configuration Example


The diagram above illustrates some of the basic steps involved with web proxy authentication (specificially Active Directory). In our specific example, we'll use two AD groups (admin and general users) to define differing levels of filtering with a more restrictive policy for general users.

Enable the Web Proxy


The first step is to enable the web proxy by clicking the gray button (which will turn green when enabled). We'll set the operational mode for each network we want filtered to be "non-transparent".


When using the web proxy with authentication the only supported mode is non-transparent.

Configure the Log Settings


Since we want to have all web access (allowed and blocked) logged for review purposes, we're going to enable the appropriate logging options.

Click Save and then Apply the changes to proceed.

Configure the Content Filter Profile #1 (General Users)


The first profile we'll build will be for our general users group which will be more restrictive in terms of web access. In this example, we're only going to configure web filtering by URL Blacklist (only) for ease and administration purposes. The first thing we'll do is ensure our HTTP antivirus is enabled by checking the appropriate box. You can select the whole category to block by clicking the green arrow or, alternatively, you can drop down the subcategories and select those individually in order to block some and not others. You can also attach custom white- or blacklists to this profile as well.

Click Update Profile and then Apply the changes to proceed.

Configure the Content Filter Profile #2 (Admin Users)


The next profile is for the admin group and will be less restrictive for web access. Again we're only using the URL blacklist for simplicity but you can use the other forms of filtering as well.


When you enable web filtering by phrases (Content Filtering) this will block those categories of phrases for content "inside the page" which will result in a more aggressive blocking strategy with potentially a higher false positive rate.

Configure Proxy Authentication


The next step is to configure the authentication piece of the web proxy which requires joining the Endian appliance to your Active Directory server. The key pieces of information are the (1) Authentication Realm which is just the domain, (2) the Domain name, (3) the PDC hostname of the AD server and (4) the PDC IP address. The BDC information is not required so you can leave this section blank.

Click Save and then Apply the changes to proceed.


The network authentication protocol used in Active Directory (Kerberos) has strict time requirements, which means the clocks of the involved hosts must be synchronized. Best practice is to indicate the PDC and BDC hosts as NTP servers for Endian.

Join the Endian to the AD Server


Now we can join the domain by providing a Domain Administrative user name and password (one with permissions to perform domain joins).

Once that's done, click Join ADS and you should see a successful message (illustrated above).

Configure the Access Policy (General Users)


The last step is to create an access policy which will map the content filtering profile based on a specific network configuration. In the example above, we're creating a policy for the Green zone (entire network) for any user in the "general users" group that uses the content filtering profile #1 (default).

Click Create Policy.

Configure the Access Policy (Admin Users)


Now we'll configure a separate access policy to map any Green network user belonging to the "domain admin" group to use the content filtering profile #2 (admin).

Click Create Policy and then Apply the changes.

Setup Client-Side Configuration


The easiest solution is to use the Endian web proxy with authentication in a semi-transparent fashion is to have the Endian also handle DHCP for those networks you wish to provide the web proxy. Using this method, all of the necessary DHCP parameters are automatically configured and handed out to Endian client workstations so they detect and use the proxy automatically assuming the above configuration for Internet Explorer is set. This setting "Automatically detect settings" must be enabled (which it is by default) in order for the IE browser to automatically find the proxy without any further manual configuraiton (PAC file).

The IE browser setting can generally be found under Tools > Internet Options > Connections tab > LAN Settings

Test the Web Proxy


You can test your configuration now by browsing the Internet from the Green network and testing different user logins (admin and general user) to verify the appropriate content filtering profiles are being applied.

Verify Logging


You should also be able to view all the web traffic in real-time by going to Logs > Live Log Viewer and select the "Web Proxy" log to view. You'll notice in both the live log viewer and regular proxy logs (pictured above) that you can identify the username for individual traffic which can help you in monitoring users web behavior.

Have more questions? Submit a request


  • Avatar

    Would like to see this expanded to include

    1. a mention of what should be done with the firewall setup when using the proxy, as well as the DNS

    2. using the local authentication (NCSA)

  • Avatar
    Romeo Andreica

    Thanks Riaan about (1) we could add this kind of hints in this article. About (2) I wuold say we need a different article I'm going to post the request.

  • Avatar

    Hi Luca

    |When making the article about local (NCSA) authentication please put specific emphasis on the WPAD automatic proxy detection - because it does not want to work on 2.4.1, Thanks

  • Avatar
    Thao Bui Ngoc

    I can't join EW to AD, I'm using EW 2.5.x software

  • Avatar
    Rafael Condidorio

    I was able to join Endian 2.4.1 into our domain, however, when I tried to create an Access Policy and selected Group Based ou User Based, I received teh following message: Can´t find the AD / LDAP server.

    I simply can't understand why this error is occurring and what could be the solution. I tried googling over the internet ofr hours reading several tutorials and guides, however no one says how this problem can be solved.

    Thank you all for any information that leads to a clue.

  • Avatar
    Romeo Andreica

    For everybody if you have an enterprise version please open a support ticket, for community I suggest to start by upgrading to 2.5.

  • Avatar
    Cleber Constante de Souza

    I have the same problem Rafel, with endian 2.5.1 and 2.5.2.

    Ad joi run nice. After in the Access Policy i have received  the same message: Can´t find the AD / LDAP server. :(

    Luca any sugestion ?

  • Avatar
    Alan Denton

    To cure the AD / LDAP server not found Add the following

    Proxy -> DNS -> DNS routing -> Add new custom nameserver for a domain. Add your AD domain name and the IP address of the primary DNS server in your domain

    Network->Edit Hosts->Add a host. Add the name and IP address of the PDC (and BDC if required) you are specifying in the proxy

  • Avatar
    Cleber Constante de Souza

    I had already done this and the problem persists.

  • Avatar
    Luca Radaelli

    try to restart emi service from ssh with this command /etc/init.d/emi restart

  • Avatar
    Cleber Constante de Souza

    Tks, Luca. But the command dont solved the problem.

    I think I'll have to reinstall endian.


    Any  other sugestions would be welcome.


    [ ]'s

  • Avatar
    Luca Radaelli

    check if the time is synced with your AD controller and run wbinfo -u from ssh,if this command returns an error means that endian is not joined to your AD env or you have dns issue.If you experience other issues i suggest to open a ticket if you are an enterprise customer.

  • Avatar
    михаил иванов

    I have problem with AD tree. Endian work with one realm.However I wont to authentificate users throw 2 domain in forest. If i manualy edit krb5.conf, it always rewrited by web interface of endian->proxy. How i can authentificate users in AD forest with several domains? Sorry for my english. Thanks.

  • Avatar
    Julian Mendax


    I'm new to Endian, where I come from the world of pfsense and cisco, and when I'm not a very complex environment, where it has about 100 users with a DC server (Windows 2008 Enterprise), and one Endian 3.0 (Core i5) and follow the scratching tutorial link below to set up an "unauthenticated" using proxy "NTLM", using this tutorial and setting itself is correct! Visualize the groups in AD DS and Endian Endian machine container in AD DS in the Window Server 2008;


    The authentication happens perfectly, but not surfing! And already checked the DNS's both (Server / Client) and below follows the settings made


    Could someone give me a "light" on what is going on? Accept suggestions for improvements in the environment please thanks.

    Julian MendaxCN