Re: [squid-users] Q: squid as proxy for OWA: authentication not passing through from Amos Jeffries on 2012-02-03 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 04 Feb 2012 15:22:35 +1300

On 4/02/2012 2:23 p.m., John H. Nyhuis wrote:
> I'm trying to set up squid as a proxy for a Microsoft Exchange OWA server, and would appreciate it if someone could point out what I am missing in my squid.conf
>
> When I connect directly to OWA using a browser, I am presented with a username / password dialogue, and can log in.
> When I connect through squid, I do not receive the username / password dialogue, and squid logs a TCP_MISS/403.
> I think squid is not passing the authentication dialogue back to the client, and then the connection times out.
>
> squid version: squid3-3.1.16-57.2
> exchange version: 2010
> squirm is used to rewrite the requests squid sends to the target exchange server

Sigh. Exchange is VERY sensitive to the nature of requests it receives.
I suspect very much that this URL re-writing is part of the problem.

Start with re-considering *why* your Exchange server and Outlook clients
are not communicating the correct URLs between each other and what can
be done to their configuration to fix that.

>
> squid.conf: (with IP's removed)
>
> https_port<squid's IP>:443 accel cert=/etc/squid/ssl/0123trial.com.crt key=/etc/squid/ssl/0123trial.com.key defaultsite=<exchange server> vhost protocol=https
>
> cache_peer<squid's IP> parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=owaServer
> acl OWA dstdomain<exchange server>
> extension_methods RPC_IN_DATA RPC_OUT_DATA
> cache_peer_access owaServer allow OWA
> never_direct allow OWA
> redirect_program /usr/local/squirm/bin/squirm
> redirect_children 1
>
>
> A connection attempt through squid to the exchange server on a browser is logged in access.log as follows
> https://<squid's IP>/testuser@<exchange server>/
>
> access.log:
>
> 1328317941.803 0<squid's IP> TCP_MISS/403 4601 GET https://<squid's IP>/testuser@<exchange server>/ - NONE/- text/html
> 1328317941.804 8 5.36.162.200 TCP_MISS/403 4736 GET https://<squid's IP>/testuser@<exchange server>/ - DIRECT/<squid's IP> text/html
>
>
> I'd be much obliged if someone could point out what I have misconfigured.

You have configured the cache_peer linkage (which should be
Squid->Exchange) to be Squid->Squid.

Then there is that mangled URL fooling Exchanges to identifying its
domain scope as "<Squid's IP>", with undefined results.

Amos
Received on Sat Feb 04 2012 - 02:22:44 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 05 2012 - 12:00:02 MST