Efficient allocation and utilization of network resources, such as available network bandwidth, has become critical as enterprises increase reliance on distributed computing environments and wide area computer networks to accomplish critical tasks. Indeed, web-based applications drive an ever-increasing portion of a business enterprise's activities and revenues. When productivity and profits depend on response times, the acceleration of web-based applications is an essential component to success.
Network-based applications, whether they take the form of on-line marketplaces, distance learning, enterprise resource planning (ERP), customer relationship management (CRM), or other critical applications, face significant performance hurdles. One significant obstacle to the performance of web-based applications is that a significant number of remote users access network resources at slow connection speeds (e.g., 56 Kbps). In addition, the growing need for secure network transactions places a significant strain on server resources which adversely impact response times. For example, applications requiring secure transactions using resource-intensive Secure Sockets Layer (SSL) technology sap web server resources, severely reducing the number of transactions a given web server can handle and increasing response times. In light of these considerations and others, application and content developers and often faced with the undesirable tradeoff between providing a rich user experience and acceptable performance.
In response, internet content or network application accelerators have been developed to speed the delivery of content to remote users. For example, the AppCelera™ ICX Internet content accelerator combines compression, conversion and caching techniques to optimize static and dynamic content to each remote user's connection speed and browser, as well as other aspects of the remote user's connection profile (e.g., network access device type and capabilities). Typically, such content accelerators are deployed in front of web or other network servers and in the communications path between such servers and remote users. These content accelerators essentially act as proxy servers performing such functions as connection multiplexing, reverse proxy caching, compression, etc. to optimize virtual end-to-end connections between servers and remote users. For example, in order to reduce overhead associated with establishing TCP connections, certain content accelerators maintain one or more persistent connections to the servers and pass requests from remote users over these connections to the servers.
Network servers often implement authentication functionality to secure and control access to data. For example, authentication mechanisms typically rely on a challenge-response authentication protocol to validate or authenticate remote users. It is desirable for network application accelerators to operate in a transparent manner to optimize network traffic associated with network authentication and security mechanisms. Certain authentication mechanisms, however, are connection-based, relying on implicit end-to-end state, which is problematic to the insertion in the client-server connection of a proxy for such functions as content acceleration and other optimizations. For example, Microsoft's Internet information Services (IIS) web server utilizes an authentication mechanism (NTLM—NT LanManager) that integrates with Windows domain authentication for authenticating client systems attempting to access content on the web server. IIS and Internet Explorer (IE) can use this type of authentication over HTTP. However, the introduction of a proxy server between the IE client and the IIS server compromises the NTLM authentication scheme, because there is no longer an end-to-end connection between the IE client and the IIS server. When a proxy is inserted between client(s) and an origin server using NTLM, clients are often forced to re-authenticate themselves numerous times during a single browsing session. In addition, since the NTLM server assumes that any request received over an authenticated connection comes from the authenticated source, the use of connection multiplexing becomes problematic as it may allow unauthenticated clients access to content or other data requiring authentication.
NTLM is a proprietary connection based authentication mechanism, developed by Microsoft Corporation®, that relies on implicit end-to-end state. The HTTP/1.1 specification states that all state is hop-by-hop only; therefore, using NTLM for HTTP traffic is prone to many HTTP compliance difficulties and breaks when there are any proxies (hops) between the client and the server. In fact, a Microsoft knowledge base article (Q198116—Authentication Options and Limitations using Proxy Server 2.0) states: “Enabling [NTLM] authentication to a reverse proxy is not recommended . . . inserting a reverse proxy will cause NTLM authentication between the client browser and the Web server to cease functioning.” The article goes on to recommend using the less secure Basic Authentication instead of NTLM, if a proxy server is involved.
According to one solution, since NTLM is an end-to-end authentication mechanism, the inclusion of a proxy in the transaction path requires two separate authentication steps: 1) between the client and the proxy, and 2) between the proxy and the server. Indeed, some have reverse-engineered the proprietary NTLM protocol and, as a result, have implemented a solution which requires additional configuration of the proxy as well as the Windows domain controller. These types of solution essentially moves the termination point of the NTLM connection from the server to the proxy. For example, Cacheflow provides a proxy that has an NTLM solution that requires the installation of software on the NT domain controller. This approach allows the proxy to terminate the server-end of the authentication, thus ensuring that there are no “hops” between the client and the authenticating NTLM server. This solution does not really act as a proxy for NTLM-based transactions; rather, it essentially takes over NTLM authentication from the NTLM server. In addition, this is not a transparent solution as it requires much setup and configuration on the proxy server and on the domain controller.
In light of the foregoing, a need in the art exists for methods, apparatuses and system that allow for transparent intermediation of network traffic over connection-based authentication protocols, such as NTLM. Embodiments of the present invention substantially fulfill this need.