Re: [squid-users] NTLM not-proxiable- workarounds? from Josh Wyatt on 2003-12-03 (squid-users)

From: Josh Wyatt <Josh.Wyatt@dont-contact.us>
Date: Wed, 03 Dec 2003 21:55:15 -0500

Henrik Nordstrom wrote:
> On Wed, 3 Dec 2003, Josh Wyatt wrote:
>
>
>>I know that NTLM authentication is not proxiable, per microsoft and per reading several threads on the subject. I'm
>>wondering what other squid users do when you have users using it, but still need to deploy a transparent proxy.
>
>
> Add exclusions to the interception for the NTLM sites the users need
> access to, on a case by case basis.

This would be done on the router? Or could I add rules to the squid server to drop connections from/to those hosts, and
let wccp do the rest...?

>>My situation is as follows. I'm using a cisco router doing wccp (works great!) redirection to a redhat 9 linux box
>>running squid-2.5.STABLE1. Outlook Web Access of course fails through this setup.
>
>
> Should at least fall back on Basic auth if you upgrade your Squid to
> 2.5.STABLE2 or later and the IIS server has "plain text" authentication
> enabled. (2.5.STABLE2 and later automatically filters out NTLM
> authentication from the server challenge, ensuring that the browser does
> not select NTLM when it is known it won't work)

Hrm, a big if. However, it seems worth a try.

> It should also work if the OWA administrator enables SSL support to secure
> internet access and switches the users to use https:// instead of http://.
> Accessing OWA using http:// over the Internet is not very wise from a
> security point of view.

Another big if. So insecure, yet so many users insist on this "easy" technology. Unfortunately I do not have access to
the NT admins running those servers.

>>I've tried the following:
>>1. Added 'extension_methods SEARCH SUBSCRIBE UNSUBSCRIBE POLL BCOPY BPROPPATCH' to the config as suggested in another,
>>older (circa 2000) thread from this list (for 2.4 and earlier). No effect.
>
>
> Should not be needed with Squid-2.5.
>
>
>>2. Added 'acl exchange urlpath_regex exchange' and 'always_direct allow exchange' to the config, to try and make all
>>accesses to urls containing 'exchange' go direct. Squid logs the attempts as going direct, but it doesn't fix
>>authentication.
>
>
> As you note this won't help. The problems is at a protocol level due to MS
> not reading the HTTP specifications.

MS... not adhering to specs... imagine that. When will they learn? Better question, when will the USERS learn to
demand BETTER?

> Regards
> Henrik

Cheers, and thanks for the response,
Josh
Received on Wed Dec 03 2003 - 19:55:47 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:05 MST