[squid-users] RDP, Certificates and Squid

From: Damian Teasdale <damte_at_oppy.com>
Date: Wed, 23 Feb 2011 10:12:56 -0800

Here is our environment:

LAN users all go through the proxy for internet access, works fine. A few users need access to RDP to an external partners Terminal Server. The terminal server has a Certificate issued by GoDaddy.com. When the users on the LAN attempt to connect to the external Terminal Server I don't think that they can authenticate the certificate. I watch the access.log and I see these lines written:

1297896161.739 70 192.168.x.xTCP_DENIED/407 1962 GET http://certificates.godaddy.com/repository/gd_intermediate.crt - NONE/- text/html
1297896161.742 0 192.168.x.x TCP_DENIED/407 2158 GET http://certificates.godaddy.com/repository/gd_intermediate.crt - NONE/- text/html
1297896161.745 2 192.168.x.x TCP_DENIED/407 1962 GET http://certificates.godaddy.com/repository/gd_intermediate.crt - NONE/- text/html
1297896162.086 319 192.168.x.x TCP_DENIED/407 2055 GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab - NONE/- text/html
1297896162.089 0 192.168.x.x TCP_DENIED/407 2251 GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab - NONE/- text/html
1297896162.091 2 192.168.x.x TCP_DENIED/407 2055 GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab - NONE/- text/html

I have tried putting in some acl's for this but it doesn't seem to make a difference, here are the acl's as I have them setup:

acl GoDaddy dstdomain .godaddy.com

http_access allow GoDaddy

There are a lot of other acl's that we have setup but did not include them all, but could if needed. Any ideas about how to get this working? As a work around I have put in a separate ACL to allow that LAN computers IP address direct access and it works, but this is not ideal.

Thanks

Damian Teasdale
Senior Technical Analyst
The Oppenheimer Group
Tel: 604-461-6779
email: damte_at_oppy.com

The Oppenheimer Group ---- CONFIDENTIAL

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Received on Wed Feb 23 2011 - 18:13:17 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 23 2011 - 12:00:03 MST