NTLM proxy authentication and the iPad

We are not able to access the internet proxy in IPAD2 post IOS-5 also in "SAFARI" browser.

We are unable to find any place to setup the proxy server setting. Bast as per our understanding of network engine issue is we are not able to define LM & NTLM based authentication.

How to add LM and NTLM based authentication?

Warm Regards, Neeraj

In the Ipad2 IOS 5 you can set Proxy Settings under the Settings App>WI-FI>choose the Network you are going to use to access the internet from> Then at the bottom of that page you will see HTTP Proxy with three buttons, Off, Manual, and Auto.

The Manual will give you a place for the proxy server and port to access it from and it has Authentication that you can turn on from the looks of it it is only Basic Auth and not Digest.

The Auto button gives you a place to put a web address to a PAC file link.

I hope this helps.

If anyone still have this issue with iOS mobile devices and Blue Coat proxies, then you can contact me to tell you how to properly configure your ProxySG to work well with iOS mobile devices. We have had the same issue and it took me 2 weeks trying to figure out how to make it work. Eventually I found the trick and I was able to make it work when Blue Coat support told me that the only way is to disable authentication.

Disabling authentication for mobile devices was not an option I wanted to entertain at all, so I continued to work on the issue until I was able to make it work.

Basically, I had to create a separate authentication policies for mobile devices with using "Proxy IP" as the authentication mode (for mobile devices only). I also had to create several other policies in the different layers to make the different pieces work. Heavy User-Agent based policies were also created to identify the mobile device.

Hi Koji,

I am very interested on your findings.

Best regards

Thomas

Hello Koji,

We have an extremely large environment with more and more iPad's being ordered by the day. I would love to see how you are managing them on the Blue Coats. I'm not very satisfied with our current authentication model for our devices. Thank you.

Jim

Hi KojiKabuto,

I too am interested in how exactly you configured the ProxySG to authenticate iDevices. I was also told disabling authentication was the only route.

Thanks

Hi Koji,

I'd be very interested in how you managed to resolve this issue. Like you, I do not want to go down the "disabled" authentication route. If possible, please email me how you fixed this.

Thanks

Richard

Guys,

Sorry for not replying, but I continue to forget the get the snapshots at work. If I recall correctly, here are some steps:

1. In "authentication" layer, in the "Source" column, create a combined object and add the following users agents to it: "iPhone", "iPad", and "MobileSafari"
2. Select that conbined object in the source
3. Set it to authentication and set auth type to "Proxy IP"
4. Go back to proxy management, under the "Configuration" tab, go to "Authentication" and then select your IWA Authentication Realm.
5. Edit that, in there, there is a setting for "surrogate refresh time", set that to some large number such as 8 hours or so. Remember, if you don't set the surrogate setting, it will work, but you will run into random cases where specific session does not contain a "user agent" that matches the ones you created in step # 1. The surrogate setting should resolve that conflict.
6. The rest of the rules are related to your actual normal ACL to restrict the mobile devices from going where they should not.

I may be missing a step or two, forgive me, as I'm pulling this off of memory, but I will do my best to remember when I'm at work to get the details instructions on how I did it.

PS: your mobile device should point to the proxy, or if you have WCCP set, then that's a different case that I did not test the mobile device under that scenario. However, you will need to type in your credentials as well in the mobile device under the "Proxy settings", remember, when your "Domain" policy dictate the the user password must be changed every xx days, you will need to update your password in the mobile device at the same time.

Message was edited by: KojiKabuto

Guys,

Sorry for not replying, but I continue to forget the get the snapshots at work. If I recall correctly, here are some steps:

1. In "authentication" layer, in the "Source" column, create a combined object and add the following users agents to it: "iPhone", "iPad", and "MobileSafari"
2. Select that conbined object in the source
3. Set it to authentication and set auth type to "Proxy IP"
4. Go back to proxy management, under the "Configuration" tab, go to "Authentication" and then select your IWA Authentication Realm.
5. Edit that, in there, there is a setting for "surrogate refresh time", set that to some large number such as 8 hours or so. Remember, if you don't set the surrogate setting, it will work, but you will run into random cases where specific session does not contain a "user agent" that matches the ones you created in step # 1. The surrogate setting should resolve that conflict.
6. The rest of the rules are related to your actual normal ACL to restrict the mobile devices from going where they should not.

I may be missing a step or two, forgive me, as I'm pulling this off of memory, but I will do my best to remember when I'm at work to get the details instructions on how I did it.