Why is the Integrated Authentication feature disabled in GFI WebMonitor?

The information in this article applies to: GFI WebMonitor 2009 (Standalone Proxy Version) GFI WebMonitor 2011 (Standalone Proxy Version) Article ID: KBID003666 Query keywords: Issue Encountered The Integrated Authentication option is disabled in the GFI WebMonitor configuration More Information The Integrated Authentication feature is disabled within the GFI WebMonitor configuration, when the computer security policy has been configured to authenticate as guest. Resolution Perform the following procedure to modify the Network Access policy so local users authenticate as themselves. Configure network access manually To configure each machine manually, perform the following procedure: 1. Click 'Start' > 'Control Panel' > 'Administrative Tools' > 'Local Security Policy' 2. From the left panel expand 'Security Settings' > 'Local Policies' > 'Security Options' 3. Right click 'Network access: Sharing and security model for local accounts' from the right panel and click 'Properties' 4. Make sure that in 'Local Security Setting' tab, 'Classic - local users authenticate as themselves' is selected.

5. Click 'Apply' and 'OK' 6. Close Local Security Settings. Configure network access using GPO in Microsoft Windows 2003 server To configure Network access policy through Microsoft Windows 2003 Group Policy, perform the following procedure: 1. Click 'Start' > 'All Programs' > 'Administrative Tools' > 'Active Directory Users and Computers', on the DNS server 2. Right click the domain and click 'Properties' 3. Select 'Group Policy' tab in the 'Domain Properties' dialog

4. Select 'Default Domain Policy' from the list, and click 'Edit' 5. Expand 'Computer Configuration' > 'Security Settings' > 'Local Policies' and click 'Security Options' 6. Right click 'Network access: Sharing and security model for local accounts' from the right panel, and click 'Properties' 7. In the 'Security Policy Settings' tab, select 'Define this policy setting' and make sure that 'Classic - local users authenticate as themselves' is selected. 8. Click 'OK' and close all opened windows

Configure network access using GPO in Microsoft Windows 2008 server To configure Network access policy through Microsoft Windows 2008 Group Policy, perform the following procedure: 1. Type 'mmc.exe' in command prompt and press 'Enter' 2. In the Console Root window click 'File' > 'Add/Remove Snap-in...' to open the Add or Remove snap-ins window 3. Select 'Group Policy Management' from the 'Available snap-ins' list, and click 'Add'

4. Click 'OK'

5. Expand 'Group Policy Management' > 'Forest' > 'Domains' and click the Domain

6. Right click 'Default Domain Policy' and click 'Edit'. This opens the 'Group Management Editor' 7. Expand 'Computer Configuration' > 'Policies' > 'Windows Settings' > 'Security Settings' > 'Local Policies' and click 'Security Options' 8. Right click 'Network access: Sharing and security model for local accounts' from the right panel and click 'Properties' 9. In the 'Security Policy Setting', click 'Define this policy setting' and make sure that 'Classic local users authenticate as themselves' is selected 10. Click 'OK' to apply changes. 11. Close 'Group policy Management Editor' and save the management console created.

When clients connect to the internet they keep getting asked to authenticate The information in this article applies to: GFI WebMonitor 2009 (Standalone Proxy Version) GFI WebMonitor 2009 for ISA/TMG GFI WebMonitor 2011 (Standalone Proxy Version) GFI WebMonitor 2011 for ISA/TMG Article ID: KBID003833 Query keywords:authenticate Issue Encountered: When a client attempts to browse the Internet using an Internet Browser, the proxy server constantly asks the client to authenticate. Why? More Information: If you have enabled Basic authentication on your ISA/TMG server or the GFI WebMonitor Standalone Proxy, every new request will require authentication. It is recomended to use Integrated Authentication since this will not require the user to enter their credentials when accessing the internet Resolution: Depending on which version of GFI WebMonitor you are running, perform the procedure below to enable Integrated Authentication: GFI WebMonitor Standalone Proxy The following procedure explains how to configure authentication in GFI WebMonitor Standalone Proxy: 1. Open the GFI WebMonitor configuration 2. Expand the Configuration node and click on Proxy Settings 3. Under the Authentication method section, select Integrated authentication and click on the 'Save Changes' button. GFI WebMonitor for ISA/TMG When using GFI WebMonitor for ISA/TMG, Integrated Authentication would need to be enabled from the Microsoft ISA/TMG Configuration: To enable Microsoft ISA server authentication, the following steps need to be done: On Microsoft Forefront TMG 2010: 1. Open the Microsoft Forefront TMG Management console. 2. Click on the Networking node in the left pane and select the Networks tab in the right pane. 3. Right click on the Internal network and select Properties 4. Select the Web Proxy tab and click on the Authentication button. 5. Select the Integrated' checkbox. 6. Click OK to save changes. 7. Repeat the same procedure for Local Host in the Networks Tab. On Microsoft ISA 2006: 1. Open the Microsoft ISA Server Management. 2. Go to Configuration -> Networks. 3. In the Networks Tab, Right Click on 'Internal' -> Properties. 4. Go to the Web Proxy tab and click on 'Authentication...'

5. Select the Integrated' checkbox. 6. Repeat the same procedure for Local Host in the Networks Tab. 7. Apply the changes. On Microsoft ISA 2004: 1. Open the Microsoft ISA Server Management. 2. Go to Configuration -> Networks. 3. In the Networks Tab, Right Click on 'Internal' -> Properties. 4. Go to the Web Proxy tab and click on 'Authentication...' 5. Select the Integrated' checkbox. 6. Repeat the same procedure for Local Host in the Networks Tab. 7. Apply the changes.

Mozilla Firefox keeps asking for credentials repeatedly The information in this article applies to: GFI WebMonitor 2009 (Standalone Proxy Version) GFI WebMonitor 2011 (Standalone Proxy Version) Article ID: KBID001782 Query keywords:Firefox Issue Encountered GFI WebMonitor is installed on Microsoft Windows 2008 and is configured to use integrated authentication. Mozilla Firefox browser keeps asking for credentials repeatedly when installed on Microsoft Windows 7. More Information On Microsoft Windows 2008, the default setting for the LAN Manager authentication level security policy (shown below) is "Send NTLMv2 response only", and on Microsoft Windows 7 the default is to have this policy not defined. This causes the workstation and server computers to negotiate usage of NTLMv2 for authentication. Support for NTLMv2 in Mozilla Firefox is flaky or non-existent, causing the observed behaviour.

Resolution: If youre using Mozilla Firefox in such an environment and youre observing the above behavior, you need to do one of the following: Make use of hostname rather than IP when configuring the proxy settings in the browser. If you are using the WPAD option in GFI WebMonitor you should select Publish the host name of the GFI WebMonitor proxy in WPAD in the Network Configuration section of the GFI WebMonitor Proxy Settings node.

Ensure that both the GFI WebMonitor server and workstations use a common authentication mechanism. Such a change can be applied on either the GFI WebMonitor server or the client machines: GFI WebMonitor server

If you wish to change the GFI WebMonitor server authentication mechanism, perform the following procedure: 1. Click 'Start' > 'Administrative Tools' > 'Local Security Policy' 2. Expand 'Local Policies' and select 'Security Options' 3. Right click on 'Network Security: LAN Manager authentication level' from the right panel and click 'Properties' 4. Select 'Local Security Setting' tab in the Network Security: LAN Manager authentication level Properties dialog 5. Select 'Send LM & NTLM - use NTLMv2 session security if negotiated from the Network security' drop-down list 6. Click 'Apply' and 'OK' 7. Close Local Security Policy dialog Workstations Should you wish not to update the GFI WebMonitor server authentication mechanism, you can update the authentication mechanism of your workstations. Set the "Network security: LAN Manager authentication level" policy to "Send LM & NTLM - use NTLMv2 session security if negotiated" on your workstations. If your workstations are joined to an Active Directory domain you can do this centrally via domain security policy

Internet Explorer is unable to retrieve my new wpad.dat configuration The information in this article applies to: GFI WebMonitor 2009 (Standalone Proxy Version) GFI WebMonitor 2011 (Standalone Proxy Version) Article ID: KBID003672 Query keywords:WPAD Issue Encountered: I have updated my wpad.dat settings, however Internet Explorer is not retrieving my new proxy settings. More Information: Microsoft Internet Explorer has cached the wpad.dat file and users are retrieving old settings Resolution: This issue can be resolved by performing either of the following procedures: Re-configure Microsoft Internet Explorer to automatically detect for settings Use the Autoproxutil tool to force Microsoft Internet Explorer to send a DHCP Inform the next time it is launched Re-configure Microsoft Internet Explorer to automatically detect for settings Perform the following procedure to re-configure Microsoft Internet Explorer to automatically detect for settings. Note: This procedure is recommended if only a few computers are affected. 1. Open Microsoft Windows Explorer 2. Click on 'Tools' and select 'Internet Options' 3. Click on the 'Connections' tab and click on the 'LAN Settings' button 4. Uncheck the option 'Automatically detect settings' 5. Click 'OK' to save changes, and 'OK' again to close Internet Options 6. Restart Microsoft Internet Explorer 7. Once Microsoft Internet Explorer has started, click on 'Tools' and select 'Internet Options' once again. 8. Select the 'Connections' tab and click on the 'LAN Settings' button 9. Now check the option 'Automatically detect settings' to obtain the new wpad.dat file. 10. Click 'OK' to save changes, and 'OK' again to close Internet Options Microsoft Internet Explorer will now download the new wpad.dat file. Use the Autoproxutil tool to force Microsoft Internet Explorer to send a DHCP Inform the next time it is launched Using the Autoproxutil tool, you can force Microsoft Internet Explorer to send a DHCP Inform the next time it is launched, and get the Wpad.dat file. You can download the Autoproxutil tool from here. Once the download is complete, extract the Autoproxutil tool from the zip file and perform the following procedure: 1. Open command prompt

2. Browse to the directory were the 'autoproxutil.exe' is located 3. Run the following command: Autoproxutil /f:3 If you have a large number of computers effected by this issue, it is recommended to create a logon script which will execute the Autoproxutil tool when the user will logon to the computer. Further information on how to create a logon script can be found at: http://technet.microsoft.com/en-us/library/cc758918%28WS.10%29.aspx