Re: [squid-users] Squid, ntlm, java, and gotomeeting

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 04 Feb 2009 13:28:12 -0900

Kevin Blackwell wrote:
> Hi,
>
> I currently have a deployment of Squid. We use it to track surfing
> habbits of users on Windows 2003 Terminal Servers. It's AD aware and
> using ntlm.
>
> It seems that when a users tries to goto gotomeeting.com and start a
> meeting. An Auth box pops up that says ntlm at the top and ask for
>
> Username
> Password
> domain
>
> I've tried the administrator login info, doesn't work.
>
> From what I can tell this is a java app trying to make a connection to
> gotomeeting server and squid isn't allowing it.
>
> Here's the squid logs from the attempt.
>
> 10.0.0.0 - tuser [03/Feb/2009:17:49:16 -0600] "CONNECT
> www1.gotomeeting.com:443 HTTP/1.0" 200 30252 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:49:17 -0600] "CONNECT
> www1.gotomeeting.com:443 HTTP/1.0" 200 3412 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:49:18 -0600] "CONNECT
> www1.gotomeeting.com:443 HTTP/1.0" 200 4484 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:49:18 -0600] "CONNECT
> www1.gotomeeting.com:443 HTTP/1.0" 200 6568 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:49:19 -0600] "CONNECT
> www1.gotomeeting.com:443 HTTP/1.0" 200 1345 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:49:19 -0600] "CONNECT
> www1.gotomeeting.com:443 HTTP/1.0" 200 18271 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:49:28 -0600] "CONNECT
> ssl.google-analytics.com:443 HTTP/1.0" 200 11673 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:50:20 -0600] "CONNECT
> www1.gotomeeting.com:443 HTTP/1.0" 200 12437 TCP_MISS:DIRECT
> 10.0.0.0 - tuser [03/Feb/2009:17:50:25 -0600] "CONNECT
> col.gotomeeting.com:443 HTTP/1.0" 200 9930 TCP_MISS:DIRECT
>
> Anyone know of a work around?
>

As far as I can find, the JRE after 1.5.08 and later support NTLM, but I
think that the applet writer might need to specifically implement this
support.

The only sure-fire work around that I know of is to allow the Java User
Agent out (perhaps only to specific sites) without requiring authentication.

acl Java browser Java/[0-9]
acl JavaSites dstdomain .gotomeeting.com
acl our_networks src 192.168.45.0/28
http_access allow Java our_networks JavaSites

> Kevin
>

Chris
Received on Wed Feb 04 2009 - 22:24:41 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 05 2009 - 12:00:01 MST