RE: [squid-users] Exchange Server 2007 + Outlook 2007 + Squid Proxy

From: Jason Staudenmayer <jasons_at_adventureaquarium.com>
Date: Fri, 13 Aug 2010 14:07:45 -0400

Do you use ntlm auth for the proxy? If your not set for any auth then the path the client is using to resolve might be breaking the link.

Like this maybe -
Outlook connects to exchange to get your email, the email contains a web image. Outlook uses IE to render the page, IE goes through the proxy the outlook types to get the rest of the mail through IE which is now using the proxy. Exchange thinks you changed IP's so it need a new token.

> -----Original Message-----
> From: Kale D. Michels [mailto:kmichels_at_HRI-DHO.com]
> Sent: Friday, August 13, 2010 1:46 PM
> To: Jason Staudenmayer
> Cc: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Exchange Server 2007 + Outlook
> 2007 + Squid Proxy
>
>
> Thanks a lot for your help on this one Jason. I think we are
> definitely on the right track now. My only concern is that I
> do not have my proxy server setup to require authentication
> to navigate to the web. However I think from the way you are
> describing it to me.. they open the email > attempt to view
> image > navigate through proxy to get image > ... somehow it
> gets back to requiring the network authentication (domain
> authentication) in order to place the found image into the
> email for view.?
>
> Or maybe something like that...
>
> I just wanted to make sure you didn't think that the proxy
> server was requesting for authentication to the proxy server
> which is an optional configuration of the squid.
>
> Thanks again,
>
> Kale
>
> -----Original Message-----
> From: Jason Staudenmayer [mailto:jasons_at_adventureaquarium.com]
> Sent: Friday, August 13, 2010 11:50 AM
> To: Nick Cairncross
> Cc: squid-users_at_squid-cache.org; Kale D. Michels
> Subject: RE: [squid-users] Exchange Server 2007 + Outlook
> 2007 + Squid Proxy
>
> I use a PAC file for all internals but the issue he's seeing
> is from HTML email from outside the LAN with images being
> pulled from the web (through IE and therefore through the
> proxy server). When you open an email the server doesn't
> parse the content for you over your LAN the client must do
> that on it's own. Each element in that email will need an
> auth for the proxy server. I've been dealing with this
> situation for 8 years. They only way around it is to allow
> outlook/IE to save the password (sometimes the box isn't
> there) or allow users to bypass the proxy which defeats the purpose.
>
> Kale, check to see that this only happen when viewing an HTML
> email with web based images link in it. You shouldn't have
> any issues with RTF or plain text emails asking for auth to
> the proxy since those would be encoded in the email as a mime section.
>
> Jason
>
>
>
> ..·><((((º>
>
>
> > -----Original Message-----
> > From: Nick Cairncross [mailto:Nick.Cairncross_at_condenast.co.uk]
> > Sent: Friday, August 13, 2010 12:33 PM
> > To: Jason Staudenmayer
> > Cc: Kale D. Michels; squid-users_at_squid-cache.org
> > Subject: Re: [squid-users] Exchange Server 2007 + Outlook
> > 2007 + Squid Proxy
> >
> >
> > Not really on topic for squid now but...
> >
> > My setup being different I cant really add much to help you
> > here, other than I would have thought NOT passing your
> > requests through a proxy server if it's your own internal
> > mail servers is the way to go. Send it direct to your CASs.
> >
> > Example: have isa in a DMZ forwarding the
> > autodiscover.domain, OWA etc for your mail.domain for
> > external and a split horizon internal DNS. Clients within
> > your LAN use internal dns servers to resolve the above and
> > hence using a PAC file to say 'if my mail.domain send direct'
> > and don't use proxy.
> >
> > As for the prompting for external HTML that sounds like a
> > browser/auth issue. I don't see that for my ie users. Macs
> > however are a different matter...
> >
> > Nick
> >
> > On 13 Aug 2010, at 16:55, "Jason Staudenmayer"
> > <jasons_at_adventureaquarium.com> wrote:
> >
> > >> -----Original Message-----
> > >> From: Nick Cairncross [mailto:Nick.Cairncross_at_condenast.co.uk]
> > >> Sent: Friday, August 13, 2010 11:28 AM
> > >> To: Kale D. Michels; squid-users_at_squid-cache.org
> > >> Subject: Re: [squid-users] Exchange Server 2007 + Outlook
> > >> 2007 + Squid Proxy
> > >>
> > >>
> > >> By-pass proxy for local/exchange URL/host, no?
> > >>
> > >> Easiest if you use a pac file also and specify the local
> > >> addresses/subnets i.e send direct and don't touch the proxy
> > >>
> > >> Nick
> > >>
> > >>
> > >> On 13/08/2010 14:49, "Kale D. Michels"
> > <kmichels_at_HRI-DHO.com> wrote:
> > >>
> > >> I have my proxy server set to be used by the majority of my
> > >> internal users. The problem I am running into is that now
> > >> that I've upgraded (some time ago) to Exchange Server 2007 I
> > >> am now having issues between the Outlook 2007 client and the
> > >> Exchange 2007 server for those users that are configured to
> > >> pass to the internet through the proxy. The error that shows
> > >> up just requests for the username and password of the person
> > >> like it forgot the users credentials that were used to
> > >> connect to the exchange server. It appears that the emails
> > >> can be sent and received but it will repeatedly ask users for
> > >> their credentials. This is not a virus or anything in
> > >> relation to a malware infection but can be reproduced by
> > >> turning off the use of the proxy (IE Browser - proxy settings
> > >> turned off) and outlook will not ask for credentials, and
> > >> then turn the proxy back on (reverse) and the problem will
> > >> start again. Let me know if there is a quick fix (port,
> > >> protocol, acl rule) that can be put into place or an
> > >> exchange/outlook modification that can be made to resolve
> > this issue.
> > >>
> > >> Thank you,
> > >>
> > >> Kale
> > >
> > >
> > > That sounds like the situation I have here. All users go
> > through a proxy, any email that come in with web based images
> > gets a popup. If IE doesn't have the proxy set then no images
> > are shown in the email. It's only html email that pull images
> > from the web. AFAIK there's no way around this other then
> > allowing users to bypass the proxy, which kinda defeets the purpose.
> > >
> > > Jason
> > >
> > >
> > >
> > > ..·><((((º>
> >
> > The information contained in this e-mail is of a confidential
> > nature and is intended only for the addressee. If you are
> > not the intended addressee, any disclosure, copying or
> > distribution by you is prohibited and may be unlawful.
> > Disclosure to any party other than the addressee, whether
> > inadvertent or otherwise, is not intended to waive privilege
> > or confidentiality. Internet communications are not secure
> > and therefore Conde Nast does not accept legal responsibility
> > for the contents of this message. Any views or opinions
> > expressed are those of the author.
> >
> > The Conde Nast Publications Ltd (No. 226900), Vogue House,
> > Hanover Square, London W1S 1JU
> >
>
Received on Fri Aug 13 2010 - 18:09:23 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 14 2010 - 12:00:02 MDT