[squid-users] Fwd: Forwarding Integrated Authentication for Terminal Server / Citrix users.

From: Jason Fitzpatrick <jayfitzpatrick_at_gmail.com>
Date: Tue, 10 Jan 2012 13:55:14 +0000

Hi all

We are in the process of replacing an ISA cluster with a Squid Cluster
(Squid Cache: Version 3.1.14) and have run into some issues with the
forwarding of credentials to an upstream proxy.

Our setup is as follows (names and IP addresses just for explanation purposes)

Netscaller Load-ballancer        10.0.0.10:8080 [squid.domain.local]

Squid Node 1                         10.0.0.11:8080
[squidnode1.domain.local] - sibling
Squid Node 2                         10.0.0.12:8080
[squidnode2.domain.local] - sibling

Upstream Websense              10.0.0.20:8080 [websense.domain.local] - parent

Upstream Transparent Proxy   10.1.0.10:8080 [parent.domain.local] - parent

Clients connect in from within a Citrix / Terminal server environment
to the load-ballancer, which in turn forwards the TCP connection to
one of the squidnode's (load ballanced / round robin with failover)
The Squid then forwards the connections onto the websense system using
the following directive from squid.conf (ex from node 1)

cache_peer 10.0.0.20 parent 8080 3130 no-query login=PASS weight=4
cache_peer 10.0.0.12 sibling 8080 3130 login=PASS

The websense (running on a linux platform) then authenicates the users
and based on its access rules then forwards the request onto the
upstream server and off to the internet.

Our issue is that the websense does not seem to be authenticating all
Terminal Server / Citrix users correctly, it is set up to use IWA with
a fall back to ntlm authentication, it seems to be authenticating the
1st connection via the squid from the IP address of the TS but not the
following ones.

Websense seem to think that this is a problem with the squid
configuration but I am not sure that this is true as the squid is only
forwarding on the authentication request to the websense box. Does
Squid have the ability to differentiate between multiple users on a
single computer?

Has anyone had any experience of a similar setup where authentications
are being processed by an upstream server for Terminal Server users?

Thanks

Jay 

--
"The only difference between saints and sinners is that every saint
has a past while every sinner has a future. "
— Oscar Wilde
Received on Tue Jan 10 2012 - 13:55:21 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 11 2012 - 12:00:02 MST