Background
Symantec Web Gateway is state of the art proxy and web filtering solution for corporate local area networks. It has the capability to authenticate end users and provide them secure web browsing experience as per organization’s policies and requirements.
SWG can use one of the 2 authentication mechanisms available in it named
- Domain Controller Interface (DCI)
- NTML Authentication
SWG can only use one of these methods at a time.
Comparison of NTLM authentication and DC Interface Mechanisms
NTLM and DC Interface provide different kinds of authentication mechanisms and have difference in functionality as well.
DC Interface
DCI works by integrating with domain controllers in an organization. In order to do so we need to install a small piece of software on domain controller. This software actually integrates SWG with corporate domain.
How DCI Works
The SWG connects routinely to the DC to obtain all known users LDAP group information.
1- User logs on to computer.
2- DC Interface agent on Domain Controller detects logon event and sends user details and IP address to SWG.
3- User connects to Internet.
4- SWG matches connecting IP address to user with information received from DC Interface.
5- SWG obtains LDAP group membership information from DC.
6- SWG applies appropriate policy based on LDAP information.
7- In the event that no matching logged on Domain User is identified, the SWG will apply the next IP based policy or the default policy.
NTLM Authentication
NTLM Authentication configuration accomplishes by providing corporate domain controller’s IP and credentials to SWG’s configuration tab for NTLM authentication. It does not require installation of any additional software on domain controller.
How NTLM Authentication Works
1- SWG Administrator creates an Authentication policy set to Ignore, Authenticate no Enforce or Enforce.
2- The SWG connects routinely to the DC to obtain all known users LDAP group information.
3- User connects to the Internet site via the proxy.
4- Users browser receives an NTLM challenge from the Web Gateway.
5- Users browser responds transparently with a hash of the users credentials.
6- The Web Gateway connects to Domain Controller (noted in LDAP settings) to verify credentials.
8- If verification succeeds, policies are applied according to LDAP information.
9- In the event that the NTLM process is not working correctly, or the users LDAP information is not yet known, the SWG will apply the next IP based policy or the default policy.
Comparison of NTLM and DC Interface Features
NTLM has some Advantages over DC Interface
DCI | NTLM |
Provides only user identification service. | Provides both Identification and Authentication services |
Integration with domain controller requires installation of agent software on at least one of the domain controllers in the environment | Integration with domain controller does not require any additional software |
Policy is mapped on the basis of initially assigned IP to a machine. This results is policy mismatch if user switches the machine | Policy is based on username and only works for designated user |