windows 7 client problem

rated by 0 users
Answered (Not Verified) This post has 0 verified answers | 8 Replies | 3 Followers

Not Ranked
3 Posts
gabrix01 posted on 14 Sep 2011 5:39 AM

Hi all, I' ve a problem with my Web Security. The environment is:

- SQUID proxy with NTLM authentication

- Network agent installed on the SQUID machine

-Websense Web security Standalone 7.1 installed on Windows server 2003

 

In the last 2 years everything worked fine (with XP clients), but  now  with windows 7 clients users are very frequently receiving the authentication popup request. It is very strange, beacuse Websense is configured as "apply default policy" if authentication fails and not as "prompt for authentication". Once entered the credential user can browse the page but after some minutes he' sgetting the popup again and again....

Filtering and user identification are working fine (policies are corretclty applied and users are recognized).

Notice that if I shut down n.a. on the squid machine no more popup are prompted to the users.

I don't understand why on XP machines everithing is OK and only on Win7 I'm getting the popup.

 

Does anybody can help me?

Many thanks in advance

Gabriele

 

|

All Replies

Top 10 Contributor
2,777 Posts
Editor
Moderator
Suggested by Jacob S

It's actually fairly simple.  Network Agent doesn't get the user id from squid.  Filter Service has to use an XID agent for Network Agent.  XID Agent, such as DC Agent, isn't picking up the right users because Windows 7 has this "anonymous logon" account that it uses with the domain to check certain things, and that screws up the DC Agent.  You need to add "anonymous logon" to ignore.txt in \Websense\Bin on the DC Agent machine(s).

JACOB SLOAN, CCNA, WCSE

 

|
Top 10 Contributor
466 Posts
Trusted Users (MVP)

The popup requests are probably coming from Squid not Websense. When the popup occurs you can tell by looking at the actual message.

I suspect that Windows7 is using NTLMv2 and Squid is not supporting this and then prompting the user.

|
Top 10 Contributor
2,777 Posts
Editor
Moderator

mlpotgieter:

I suspect that Windows7 is using NTLMv2 and Squid is not supporting this and then prompting the user.

Actually she says that she stops Network Agent, and the popups stop.  This is a clear indication that squid is not causing the prompts, Network Agent and the Filter Service is.

JACOB SLOAN, CCNA, WCSE

 

|
Top 10 Contributor
466 Posts
Trusted Users (MVP)

J Sloan:

Actually she says that she stops Network Agent, and the popups stop.  This is a clear indication that squid is not causing the prompts, Network Agent and the Filter Service is.

Yes I saw that but she also says that Websense is configured to apply the default policy when a user isn't identified and not configured to prompt. My thinking was that it was coincidence that the prompts did not occur when the NA and filtering services were stopped, with the NTLM credentials being cached. I suppose it would be useful to know how long the NA and filtering services were stopped for and actually have a look at the prompt.

 

|
Not Ranked
3 Posts

I asked the customer:

 

- popup if from SQUID and not from Websense Machine

- He confirmed that if he stops n.a. on squi everythin works fine, so it seems not to be a coincidence

 

Tomorrow i will be at the customer offisces and I'll try to add anonymous users to ignore.txt

 

I will update you ASAP.

Many thanks again

|
Not Ranked
3 Posts

Her I am. I' ve just verified the environment.

I confirm what customer sai to me yesterday so:

1) only win 7 machines (32 and 64 bit) are affected

2) authentication popup is coming from squid machine and not from WS machine

3) if I stop N.A. on Squid no authentication popup apperas (but I'm also not filtered).

 

tried to stop all WS services and add "anonymous logon" to ignore txt, then start all services, but nothing changed. I'm still having the "random" authentication popup.

Just one thing: the popup appears when in the page requested  there is a part not allowed by the WS policies (for example, a sports gadget in igoogle). If the page is totally allowed or totally denied, no popup appears and I'm correctly allowed or blocked.

 

Any idea?

 

Thank you

|
Top 50 Contributor
53 Posts

If it's the same/similar problem that I was getting, which basically was intermittent Internet access problems when running Windows 7 or Windows Vista PCs through the Websense Proxy, then perhaps this will help you.

Frequently, what was happening was that the content filter page would come up denying access to the Internet because it couldn't see any user credentials and because my default policy is set to block on non-authentication.  Perhaps your Squid Proxy is having a similar issue and maybe following the steps below could help.

What I found was that the problem was due to a new feature in Windows Vista and Windows 7 called the "Network Connectivity Status Indicator" (NCSI), which shows up as a little globe icon that shows up over the network interface icon in the system tray.

What a Vista/7 workstation will do is make a request for http://www.msftncsi.com/ncsi.txt .  If the OS gets a response, then it assumes that the PC has internet connectivity.  If it cannot reach http://www.msftncsi.com/ncsi.txt, then the OS will assume there is no internet connectivity.

What NCSI does is authenticates with the machine name as its username instead of the user that is logged in and that is what's causing the problem.

For more info on NCSI and how you can contro it, follow this link:

http://technet.microsoft.com/en-us/library/cc766017(WS.10).aspx

What else you should know is that essentially, if your NOT behind a proxy, ie, it's a broadband (ADSL) connection, then techincally the Windows PC is "phoning home" to Mircrosoft's server and if you read Microsoft's privacy statement, the NCSI system retains the time and access of any IP addresses that make requests to its host (www.msftncsi.com).

As I've stated above, you could knock off this feature or what I did was to create an entry in the Websense Content Gateway under the Configure Tab, Security Section, Access Control, Filtering adding the following lines:

allow   dest_domain   www.msftncsi.com         src_ip=0.0.0.0-255.255.255.255
allow   dest_host   www.msftncsi.com         src_ip=0.0.0.0-255.255.255.255

As I'm using NTLM, this tells the WCG NOT to request credentails from hosts requesting that URL.

Good luck and I hope that helps.

|
Top 50 Contributor
53 Posts

 

If it's the same/similar problem that I was getting, which basically was intermittent Internet access problems when running Windows 7 or Windows Vista PCs through the Websense Proxy, then perhaps this will help you.

Frequently, what was happening was that the content filter page would come up denying access to the Internet because it couldn't see any user credentials and because my default policy is set to block on non-authentication.  Perhaps your Squid Proxy is having a similar issue and maybe following the steps below could help.

What I found was that the problem was due to a new feature in Windows Vista and Windows 7 called the "Network Connectivity Status Indicator" (NCSI), which shows up as a little globe icon that shows up over the network interface icon in the system tray.

What a Vista/7 workstation will do is make a request for http://www.msftncsi.com/ncsi.txt .  If the OS gets a response, then it assumes that the PC has internet connectivity.  If it cannot reach http://www.msftncsi.com/ncsi.txt, then the OS will assume there is no internet connectivity.

What NCSI does is authenticates with the machine name as its username instead of the user that is logged in and that is what's causing the problem.

For more info on NCSI and how you can contro it, follow this link:

http://technet.microsoft.com/en-us/library/cc766017(WS.10).aspx

What else you should know is that essentially, if your NOT behind a proxy, ie, it's a broadband (ADSL) connection, then techincally the Windows PC is "phoning home" to Mircrosoft's server and if you read Microsoft's privacy statement, the NCSI system retains the time and access of any IP addresses that make requests to its host (www.msftncsi.com).

As I've stated above, you could knock off this feature or what I did was to create an entry in the Websense Content Gateway under the Configure Tab, Security Section, Access Control, Filtering, adding two allow lines for a destination domain and a destination host entry for "www.msftncsi.com".

The entry I used in the WCG was:

allow   dest_domain   www.msftncsi.com         src_ip=0.0.0.0-255.255.255.255
allow   dest_host   www.msftncsi.com         src_ip=0.0.0.0-255.255.255.255

As I'm using NTLM, this tells the WCG NOT to request credentails from hosts requesting that URL.

Good luck and I hope that helps.

 

|
Page 1 of 1 (9 items)