BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 11-02-2010, 04:30 AM   #1 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default MDS, NTLM and SmoothWall

Please Login to Remove!

Hi Guys,

I have been cheking the forums and this subject seems to have been done to death. So at a risk of re-inventing the wheel I really need some help.

I have just installed a new SmoothWall FireWall and Proxy which is configured to use NTLM Authentication. (My previous FireWall did not use Authentication because that was taken care of by Netware eDir), and my BES is 4.1 for GroupWise

I have modified the MdsLogin.conf file, replacing COMPANY.COM with our AD Domain and modified the Proxy Settings to reflect the IP Address and Port of the SmoothWall for Http and Https.

Here's the issue: I do not wish to have the BB Users put in a username or password to access the Internet.

If I change the http 'Support HTTP Authentication' setting to True, then the BB Users get prompted to login with username and password at our AD Domain (so I guess that the MdsLogin.conf is doing it's job?). If I set this setting back to False, the BB users get a '401 not Authorised' error back from the SmoothWall.

I have tried many different combinations of Username and Password in the Proxy settings; Username, Domain\Username etc.etc. none of which seem to make any difference.

Guys, you are my last hope of craking this, any help is much appreciated.


Regards

The GTG.
Offline  
Old 11-02-2010, 09:30 AM   #2 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,564
Post Thanks: 256
Thanked 260 Times in 246 Posts
Default

If I set this setting back to False, the BB users get a '401 not Authorised' error back from the SmoothWall.

Did you add in BESAdmin for allowed connections?
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Online  
Old 11-02-2010, 10:29 AM   #3 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the reply,

Add in BESAdmin where? on the SmoothWall or on the BES?
And if on the BES where?

GTG
Offline  
Old 11-02-2010, 10:35 AM   #4 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,564
Post Thanks: 256
Thanked 260 Times in 246 Posts
Default

on the smooth wall
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Online  
Old 11-02-2010, 11:00 AM   #5 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

The SmoothWall is linked to AD, so any user logged in to the AD is automatically Authenticated by the SmoothWall. If I start IE on the BES and browse the Internet, the SmoothWall allows access without prompt for username and password. It's only when the BB Users try to use the proxy that the problem happens. I can also login using the BESAdmin account on another PC/Server and get onto the Internet without problem.

I think that I need a way of passing a generic AD user account (such as BBProxyUser) to the SmoothWall from the BES to be used as a BB User Authorisation.

Regards


The GTG
Offline  
Old 11-02-2010, 11:56 AM   #6 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,564
Post Thanks: 256
Thanked 260 Times in 246 Posts
Default

if you remove the proxy info from BES, can users surf?
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Online  
Old 11-02-2010, 12:22 PM   #7 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

'Fraid not!, with no Proxy configured, users get prompted by the SmoothWall to Login to the SSL login page.
This is different from th elogin request when using the http 'Support HTTP Authentication' setting.

GTG
Offline  
Old 11-03-2010, 06:44 AM   #8 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Guys,

Has anyone got any more things I could check please?

GTG
Offline  
Old 11-03-2010, 08:39 AM   #9 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,564
Post Thanks: 256
Thanked 260 Times in 246 Posts
Default

Is it possible to allow traffic based on IP of BES with Smoothwall?
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Online  
Old 11-03-2010, 10:19 AM   #10 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

That's a thought! I'll try and set up an IP exception, also found out that I can save a username and password on the BB Handset, so looking at that option as well. Thanks for the input.


GTG
Offline  
Old 11-04-2010, 05:48 PM   #11 (permalink)
BlackBerry Extraordinaire
 
noname's Avatar
 
Join Date: Sep 2005
Location: Congested Islet of "Foreign Talents" (> 45% of workforce) - Singapore.
Model: Z10
OS: 10.0.0
PIN: NUKE(PAP)
Carrier: Singtel
Posts: 1,504
Post Thanks: 6
Thanked 9 Times in 9 Posts
Default

If you do not want users to be prompted for credential, you lost the ability to track who goes to which web sites.

You can configure to authenticate to a proxy server on behalf of BlackBerry devices, but you will have to setup a generic account for that purpose. However, you will not be able to track anybody if your management ask you to find out who went to this web site from the BlackBerry.

Captured right from the Admin Guide for BES 4.1.6:-

<snip>
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry devices

You can configure the BlackBerry® MDS Connection Service, BlackBerry MDS Integration Service, or BlackBerry Collaboration Service to authenticate to a proxy server on behalf of BlackBerry devices.

1. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server component.
2. On the appropriate tab, click Edit Properties.
3. In the left pane, click Proxy.
4. Double-click Proxy Mappings.
5. Click a URL.
6. Click Properties.
7. In the User Name field, type the user name that the BlackBerry Enterprise Server component can use to connect to the proxy server that is defined for the web address.
8. In the Password field, type the password for the user name.
9. In the Password (Confirmation) field, retype the password.
10. Click OK.
</snip>
__________________
Native but 4th class citizen of a nation governed by idiots who import congestions & contention.
Offline  
Old 11-05-2010, 05:47 AM   #12 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the reply noname,

Checked my setting on the BES and I have all the above setup, I have tried using an AD Username and entering that in the format DOMAIN\Username, and just plain Username. Neither worked. I also created a local username on the SmoothWall and tried using that as well, this also did not work.

I must be missing some thing here, I have tried changing the settings for http and https on the BES proxy settings, and changed from proxy, direct, auto etc.

What ever I put in the proxy settings just does not seem to get passed to the smoothwall, or is not understood If I logon elsewhere on the network with the AD username I created, I can browse no problem.

I'm really not bothered about logging the browser activity on the BB Handsets right now, so a generic Username would be ideal. Just can't get it to work - Doh!

Regards and going slowly insane


GTG
Offline  
Old 11-06-2010, 04:21 AM   #13 (permalink)
BlackBerry Extraordinaire
 
noname's Avatar
 
Join Date: Sep 2005
Location: Congested Islet of "Foreign Talents" (> 45% of workforce) - Singapore.
Model: Z10
OS: 10.0.0
PIN: NUKE(PAP)
Carrier: Singtel
Posts: 1,504
Post Thanks: 6
Thanked 9 Times in 9 Posts
Default

Assuming that you have:-

(1) Set Support HTTP Authentication to True.
(2) Configure as per "Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry devices"
(3) Restarted the MDS-CS service.
(4) Delete and undelete the Desktop [IPPP] service book on the device.

Let's try acessing an internal and an external sites and then let's check the SmoothWall side of the logs. Look closely on errors/exceptions logged from the BES ip address... hopefully there is some errors that we can consult SmoothWall Technical Support. BTW, have you asked SmoothWall Technical Support if they support BES at all?

May be good starting to study their KB site:-
https://support.smoothwall.net/index...2&pcid=0&nav=0
__________________
Native but 4th class citizen of a nation governed by idiots who import congestions & contention.

Last edited by noname : 11-06-2010 at 04:27 AM. Reason: Add SmoothWall KBase.
Offline  
Old 11-06-2010, 04:33 AM   #14 (permalink)
BlackBerry Extraordinaire
 
noname's Avatar
 
Join Date: Sep 2005
Location: Congested Islet of "Foreign Talents" (> 45% of workforce) - Singapore.
Model: Z10
OS: 10.0.0
PIN: NUKE(PAP)
Carrier: Singtel
Posts: 1,504
Post Thanks: 6
Thanked 9 Times in 9 Posts
Default

By the way, are you using NTLMv2? Take a look at the Workaround section in the link below. It's for BES 5.0 but see if you can improvise.

KB20879-"Authentication Failed" or 401 - Access Denied" error appears when BlackBerry MDS cannot authenticate via NT LAN Manager v2 because a domain name was not specified by a client
__________________
Native but 4th class citizen of a nation governed by idiots who import congestions & contention.
Offline  
Old 11-15-2010, 08:14 AM   #15 (permalink)
BlackBerry Extraordinaire
 
noname's Avatar
 
Join Date: Sep 2005
Location: Congested Islet of "Foreign Talents" (> 45% of workforce) - Singapore.
Model: Z10
OS: 10.0.0
PIN: NUKE(PAP)
Carrier: Singtel
Posts: 1,504
Post Thanks: 6
Thanked 9 Times in 9 Posts
Default Re: MDS, NTLM and SmoothWall

Any update? Issue resolved?
Posted via BlackBerryForums.com Mobile
Offline  
Old 11-17-2010, 09:08 AM   #16 (permalink)
New Member
 
Gaptoothedgypsy's Avatar
 
Join Date: Oct 2008
Model: 8900
OS: 4.6.1.310
PIN: N/A
Carrier: o2
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: MDS, NTLM and SmoothWall

Hi noname,

Sorry for the delay in replying. I now have a reasonable fix. As I could not get the auth to work at all with any of the suggested work-arounds or suggestions, I got the SmoothWall support guys to write a small cron job for the SmoothWall Appliance which logs in a generic username (BBProxyUser) for the BES IP address. This then allows traffic from the BES to route through the SmoothWall.

I just could not get the BES to supply Auth credentials automatically, no matter what I tried. But Hey Ho! Web Access now works, now I have to get the Apps working!!!!

GTG
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.