RE: [squid-users] NTLM-transparent?

We do NTLM auth with squid setup transparently. We get all the names and IP's in the logs and it works great, no issues (Stable) in a 400 person call center that bangs away on an internal web application very heavily. We use SmartFilter and Squid to achieve this.

- Nick

________________________________________
From: Henrik Nordstrom [henrik_at_henriknordstrom.net]
Sent: Sunday, June 29, 2008 5:57 PM
To: nairb rotsak
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] NTLM-transparent?

On sön, 2008-06-29 at 08:48 -0700, nairb rotsak wrote:

> I am used to running Squid/Dansguardian/Samba with ntlm auth. But I
> have always used it as a stand-alone proxy.. never at the gateway. I
> do it this way because I was always told that the usernames will not
> show up in logs (ntlm's fault.. not Squid) when Squid is in
> transparent mode.

True..

> Is this still true? How the heck does the iPrism do it? ;-)

They may have hacked Squid to allow NTLM WWW authentication (not proxy
authentication) in transparent interception mode. Highly unstandard, and
only works for the non-standard connection oriented auth schemes
(NTLM/Negotiate/Kerberos).

Another possibility is that they use an IP session cache, redirecting
the user to "the gateway webserver" for authentication if no already
established session, and link this to Squid via external_acl_type
providing the username of the session based on the client IP. Have done
this myself in another product (also squid based), and requires some
additional software to keep track of the sessions.

Regards
Henrik
Received on Sun Jun 29 2008 - 23:03:53 MDT