There have been several patches released in Service Pack 2 that prevent Outlook from sending a user's NTLM credentials when accessing external links or images. In transparent proxy deployments, (where the proxy is either inline, or user requests are sent to the proxy via WCCP or Layer4 redirect) using IWA authentication against a Windows AD environment, the proxy needs the user's client (Outlook in this case) to send their credentials with requests. The security patches mentioned restrict Outlook's ability to do this.
However, if you are unable to manage an upgrade to your client workstations and need a workaround for this issue, you can employ one of the following tactics:
- Starting with Outlook 2010, the requests are sent with a user-agent string that contains the word 'Outlook'. You can configure a rule on a Web Authentication layer in the ProxySG policy to bypass authentication for requests with a user-agent containing "Outlook" (without the quotes). For help with the steps on setting such policy, see 000010128 and refer to the steps for "Bypassing authentication when the user-agent is not predefined (in VPM)". Additionally, if you have a default policy of DENY or are otherwise blocking unauthenticated users, you may also need to create a rule allow the 'Outlook' user-agent in the same manner but on a Web Access Layer.
- Configure origin-IP-redirect as the authentication mode for your transparent proxy authentication. Using this method, users will need to open a web browser to be authenticated before accessing Email within Outlook 2003 that contains externally-sourced data. This authentication method retains a 'surrogate' on the proxy, (IP) that is used for the duration of the surrogate refresh time as set in the ProxySG management console under Authentication > IWA > IWA General.
- Using explicit proxy is another possible workaround.
Because this is a client-based issue, Blue Coat strongly recommends that this issue is addressed at the client level.
First, Windows XP Hotfix 895948 must be installed on the client's workstation. This hotfix is no longer available from Microsoft's support site, as it is included with Windows XP Service Pack 3. Once the hotfix is installed, a registry edit is required. Please contact Microsoft support at +1-800-936-4900 and request assistance with HotFix 895948 to apply the registry modifications.