Summary #

Web sites that require NTLM authentication do not pass through SecureSchool’s proxy server.  This is because it requires a challenge-response process that the proxy does not pass.  The only solution to this problem is to bypass the proxy in SecureSchool and connect to the target server directly.

Note: If you’re going to an internal server and having issues, you should already be bypassing the proxy for local addresses…so your problem is probably with the server.  Local/internal connections should not be going through SecureSchool.

Solution #1: Fix the server to not use NTLM authentication #

The best solution to this problem is to change the server to not use NTLM authentication.  This is possible if the server in question is your own server, but not always possible if it’s someone else’s server.  However, since this is the best solution, we’ll start with it.  To change the authentication type on Outlook Web Access (or any other website hosted by you…just extrapolate the right thing to do from the directions)to not be NTLM:

1. Login to the server and open the IIS Manager
2. Find the virtual host that contains the Exchange virtual folders (this is usually the “Default Web Site”)
3. Right click on the virtual host, and click on “Properties”
4. Go to the “Directory Security” tab
5. Click on the “Edit” button under “Anonymous access and authentication control”
6. Check the box for “Basic authentication” then click on the “Edit…” button
7. In the “domain name” field, type in the name of your domain, then click “OK”
8. Click “OK” to accept the changes in the authentication method
9. Click “OK” to close the Virtual Host properties

In some situations to may need to restart IIS in order for the changes to take effect.  If you restart IIS, make sure that all of your Exchange processes are running after the IIS reset is complete.

Solution #2: Bypass SecureSchool for all hits to the server #

If the server is off your network and you do not control it, then you have no choice but to bypass the SecureSchool proxy when using the site.  This means that your computer will be directly connecting to the server, and no controls or logging will be put in place by SecureSchool for that site.

First, add a proxy exception for the URL to bypass the proxy on your workstation for the website.  The browser’s proxy exception matches whatever goes in the URL line.  So if you add “10.0.0.1” as an exception, but people use “mail.mydomain.com” to access the site, it will not work…you have to use “mail.mydomain.com”.  This is how to make the changes in Internet Explorer on one workstation.  If you want to do this in your Group Policies, see [this article no longer exists].

1. In Internet Explorer, go to “Tools” -> “Internet Options”
2. Click on the “Connections” tab
3. Click on the “LAN Settings” button
4. Click on the “Advanced” button next to the proxy information
5. Towards the bottom of the box, there is a box for Exceptions.  Enter only the domain/hostname part of the address that the user is trying to go to (see example above).  If you already have entries in the list, separate entries with a seim-colon (;).
6. Click all of the “OK” buttons to close out of the dialog boxes.

Next, you need to make a firewall rule in SecureSchool to allow the workstation to connect direct.  First, you need to determine the IP address of the server you want to connect to.  The best way to do this is go to a command prompt on a workstation and type “ping www.site.com”.  Even if the pings timeout, you should still get the IP address it’s trying to ping.  If ping returns something like “Cannot resolve host”, then you have DNS problems you have to resolve first.  See Setting up DNS Forwarders in Windows or Setting Up DNS Forwarders on OS X for help.

Once you have the IP address, you have everything you need to make the rule. Login to SecureSchool, then:

1. Go to “Firewall Rules” -> “Protocol Rules” -> “Add A Rule”
   • Rule Name: Use a descriptive name
   • Log Packets: None
   • Type: Allow
   • Protocol: All
   • Direction: From Inside
   • Source Address: 0.0.0.0/0 (or whoever you want to access the site)
   • Source Port: Leave blank
   • Destination Address: The IP address you got using ping
   • Destination Port: leave blank
2. Click on “Submit”
3. Click on “Commit Changes”
4. Click on “Restart”

The site should now work correctly.