NTLM passthrough
Airlock Gateway is enabled to handle HTTP connections with transparent client to back-end NTLM authentication. Since the authorization of NTLM authenticated connections is bound to the underlying TCP connection, the client and back-end connections are correlated as soon as a NTLM handshake is detected. These one-to-one bindings of client and back-end connections exist until client connections are closed. It is guaranteed that no back-end connection authenticated using NTLM is ever reused by another client connection.
NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet. If possible, Kerberos should be preferred over NTLM, as suggested by Microsoft.
NTLM passthrough cannot be used in combination with "Front-side NTLM" Authentication flow
Remove NTLM header and Error Page Replacement of 401 responses must be disabled for this feature to work.
Due to the persistent one-to-one binding of client and back-end connections, memory usage may be increased substantially.