Download 3.8 MB - Juniper Networks

Transcript
Connection Binding and Microsoft's NTLM Authentication Protocol
The DX appliance improves application server capacity by multiplexing requests
over a few persistent connections to the server farm to conserve the target servers'
resources. In some environments, it is necessary to bind a connection from the user
to the target server instead of allowing user requests to use an arbitrary connection
to the target server. Multiplexing of connections may potentially allow an
authenticated connection to be used by non-authorized users, violating the security
policy.
Environments that use the NT Lan Manager protocol (NTLM) for authentication to
Microsoft Proxy Servers require connection binding. NTLM is a proprietary protocol
that authenticates connections rather than users or requests. Therefore,
multiplexing connections to the target server must be disabled to avoid violating the
NTLM authentication scheme.
Configuring Connection Binding
The connection binding feature provides the option of binding a connection from a
single client to a target server. Connection binding is off by default, and can be
enabled on a cluster-by-cluster basis.
1. To enable client to target server connection binding:
dx%
set cluster <name> connbind enabled
In addition, you should configure the following for optimum performance.
2. Enable client IP-based client “stickiness” (refer to “Setting up the DX Appliance
for “Sticky” Traffic” on page 155 for additional information).
3. Ensure that the web server keeps connections alive by setting a long
connection time. The suggested value is five minutes or more.
4. To disable the following factory-set server settings:
a.
Disable the addition of an HTTP warning header by typing:
dx%
set server factory h w disabled
b.
Disable adding or appending to the HTTP Via header by typing:
dx%
set server factory h v disabled
c.
Close the connection to the target server when a 304 response is received
by typing:
dx%
set server factory h tc3 disabled
Connection Binding and Microsoft's NTLM Authentication Protocol
„
89