NetScaler Does Not Honor Proxy-Connection Header on Builds 11.0.69.x Onwards

book

Article ID: CTX227603

calendar_today

Updated On:

Description

After upgrading to NetScaler 11.0.69.x + build from older builds, proxy NTLM authentication is not working anymore.
Note: This article is to address a specific use-case, please go through the "Environment" details and the "packet flow" carefully to see if this is applicable in your case.

Packet-Flow (Observations from trace analysis)

1. The Request to VIP are HTTP/1.0 and the request is forwarded to backend on http1.0
2. The back-end responses are HTTP1.1 but missing the "connection" header and only contains the "proxy-connection" header.
3. NetScaler FINs the connection on which NTLM challenge is received from the back-end and also does the same for the connection when Forwarding the NTLM challenge to the Front-end.
4. This forces the Challenge Response from front-end to arrive on a new connection which is again forwarded to the back-end on a new connection.
5. Back-end Restarts NTLM Authentication.

Environment

NetScaler version 11.0.69.X or higher.
NetScaler used to Load-Balance proxy-servers.
LB VIP of type HTTP bound to services(proxy-servers) of type HTTP, user has LB VIP IP configured as proxy in browser.
Proxy-Servers are configured for NTLM Authentication, NetScaler not participating

Resolution

Option1: Use a TCP LB VIP bound to TCP Services on back-end proxy servers.

Option2: To make NetScaler honor the Proxy-Connection Header on builds 11.0.69.x onward, change the following nsapimgr knob

i. Login to CLI
ii. Type shell and the prompt will change to "#"
iii. Type the following command nsapimgr_wr.sh -ys proxyconnection=1

Test again with HTTP Vserver and HTTP Service, and if the issue is resolved after making the above change- make this persist across reboot, follow the steps below:

From the shell prompt itself, navigate to /nsconfig.
Check whether the rc.netscaler file exists, if the file exists, add the line and save it: nsapimgr_wr.sh -ys proxyconnection=1
If the file does not exist create the rc.netscaler file and add the line and save it: nsapimgr_wr.sh -ys proxyconnection=1

Problem Cause

NetScaler no longer supports the obsolete "Proxy-Connection" header on build 11.0.69.x and higher, so without a "Connection header" from a HTTP/1.1 back-end which has a related HTTP/1.0 front-end connection, NetScaler FINs both connection

NTLM authentication fails due to this issue as NTLM challenge and response is supposed to flow on the same connection.

Issue/Introduction

After upgrading to 11.0.69.x + build from older builds, proxy NTLM authentication is not working anymore.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"