After initially working correctly, your users start receiving a browser popup requesting their credentials, but those credentials are not accepted.
When all 4 proxy ports 8080-8083 are configured, the SWG will assign a proxy instance per port. However, if all traffic is being sent to only one of the active ports, it can overload the NTLM 407 proxy authentication system for the instance active on that port.
Alternatively certain client programs that are not proxy-aware are known to exacerbate this issue by bombarding the gateway with several thousand uncompleted authentication requests per minute.
The problem can be temporarily remediated by disabling and re-enabling LDAP in the SWG interface.
Reduce the number of active proxy instances on the SWG to only one running on port 8080. The SWG will automatically load balance all 4 proxy instances on this port if no other ports are configured.
Spread the browser proxy connection settings over all 4 proxy instances on ports 8080-8083 by using separate GPO policies or using a PAC file to randomize the port used.
In addition, two separate defects have been logged for defects that relate to these symptoms:
2815310 - SWG user connections fail with swg "ntlmauthenticators exhausted" error in cache logs for proxy mode. Seen on 220.127.116.11 and once on 5.0.3.
2831549 - SWG user connections fail with swg "WARNING: swg_url_helper #1 (FD 27) exited" error in cache logs for proxy mode. Seen after upgrade to 5.0.3.
A single patch to the auth_policy and swg_url_helper binaries is in QA at this time, due on the 10th of July 2012. This patch will also include configuration modifications to increase the number of helper modules available.
Imported Document ID: TECH190999
Subscribing will provide email updates when this Article is updated. Login is required.