I am working for a client, and they have recently rolled out Windows 7 64-bit machines, with IE 10 on them (IE 11 is not yet an option due to incompatibility with Citrix Receiver 3.4 PNAgent and Mcafee VSE).
The proxy in use here is a Clearswift web gateway appliance (linux) using NTLM authentication to the proxy. This then forwards requests to our ISA 2006 server.
We have two sites, Site A and Site B. Each site has it own subnet, and it's own Clearswift web gateway.
We also have 4 remote locations, with their own subnet, but not separate site as far as AD sites and services are concerned. All these remote location's subnets fall into Site A. We have leased WAN lines to interconnect all these locations, with Bluecoat WAN accelerator at the remote locations.
Internet works fine at either site A or B. The problem arises at ALL the remote locations ONLY WHEN using the Windows 7 machines with IE 10. Users always get a popup box asking for authentication to the Clearswift proxy. This does not occur at Site A or Site B. And it does NOT occur on the old Windows XP machines with IE 8 at the remote locations. And it also DOES NOT occur with firefox at the remote locations. I have tested with IE11 and the problem still exists.
So in short, if the following happen:
1. Windows 7 PC with IE10/11
2. Remote location, NOT site A or site B
3.Attempt to browse internet via IE10, using Clearswift web gateway as proxy
You will always get the authentication pop up box, unless you:
1. Use firefox
2. Use the ISA 2006 as proxy instead, skipping the Clearswift web gateway
The Clearswift web gateway is in use due to company policy that wishes to block inappropriate material. And firefox is not deployed to local machines again as part of company policy, none of which I am either allowed to change or even paid to.
I have opened a support call with Clearswift but I doubt I will get anywhere.
I can confirm that the Clearswift web gateway (which is just a linux appliance running on vmware) uses NTLM authentication.
The only thing I have found is this:
https://support.microsoft.com/kb/976918?wa=wsignin1.0
Which I have tried to no avail.
The only other variable that has not been accounted for is the Bluecoat SG210 WAN Accelerator at each of these remote locations. The two remaining tests for me to do are:
1. Bypass the WAN accelerator
2. Turn off the need for authentication on the clearswift web gateway
I would be keen to know if anyone else has had similar issues.
