Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

NTLM Proxy Mode

In LoadMaster firmware version Long Term Support (LTS) and 7.2.53, a new NTLM Proxy Mode option was added to the LoadMaster. When upgrading from an older version of LoadMaster firmware to one of these versions (or above) the NTLM Proxy Mode option is not enabled by default. As a result, you must manually enable NTLM Proxy Mode after upgrading.

For all new deployments of LoadMasters after LTS or 7.2.53, NTLM Proxy Mode is enabled by default.

When NTLM Proxy Mode is enabled, NTLM authorization works against the Real Servers. If NTLM Proxy Mode is disabled, the old insecure NTLM processing is performed.

Kemp highly recommends ensuring that NTLM Proxy Mode is enabled.

To ensure NTLM Proxy Mode is enabled, follow these steps in the LoadMaster Web User Interface (WUI):

1. In the main menu, go to System Configuration > Miscellaneous Options > L7 Configuration.

2. Ensure NTLM Proxy Mode is enabled.

When NTLM Proxy Mode is enabled globally, the Client Authentication Mode in Virtual Services is called NTLM-Proxy. If NTLM Proxy Mode is disabled globally, the Client Authentication Mode in Virtual Services is called NTLM.

For further details on NTLM in general, refer to the NTLM Feature Description.



David Seekins

Duplicating the Client SSO Configuration didn't make any difference.




David Seekins

One difference that I have discovered at this version is that it no longer considers local real servers to be local. All the real servers are accessed via the internal network eth1 but are on a different LAN at the other side of the internal firewall. That is Kemp is deployed to the DMZ.

Could this be affecting the LDAP Proxy behaviour?




Nick Smylie

Hi David Seekins

I see you have a open ticket with our support team and these comments looked to be part of that.  I am going to attach them to that case for visibility.