TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Hello,

Ok so I know exactly why squid can't forward ntlm credentials and stop at
type1. It's facing the double hop issue, ntlm credentials can be sent only
on one hop, and is lost with 2 hops like : client -> squid (hop1) -> IIS6
rpx proxy (hop2) -> exchange 2007

That's why when I connect directly to my iis6 rpc proxy that works and when
I connect through squid that request login/pass again and again. And we can
clearly see that on https analyzes.

ISA server has a workaround about this double hop issue as I have wrote in
my last mail, I don't know if squid can act like this.

I'm searching atm how to set iis6 perhaps to resolve this problem, but I
don't want to "break" my exchange so I've to do my tests very carefully

Regards

Clem

-----Message d'origine-----
De : Clem [mailto:clemfree_at_free.fr]
Envoyé : lundi 12 mars 2012 13:20
À : squid-users_at_squid-cache.org
Objet : TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
exchange2007 with ntlm

Progressing in my ntlm/rpcohttps researches

The only reverse proxy that can forward ntlm authentication on outlook
anywhere with ntlm auth is ISA, and in this article it describes what
parameters you must set for this working :

http://blogs.pointbridge.com/Blogs/enger_erik/Pages/Post.aspx?_ID=17

The main parameters are :

. accept all users
And
. No delegation but client may authenticate directly

So the proxy acts "directly" and send credential as if it was the client.

I think squid has to act exactly like ISA to make ntlm auth to work, dunno
if it's possible as ISA is a windows proxy server and surely more
confortable with compatibility.

Regards

Clem

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Envoyé : jeudi 8 mars 2012 14:29
À : Clem
Objet : Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy
ii6 exchange2007 with ntlm

On 9/03/2012 2:08 a.m., Clem wrote:
> Ok Amos so we go back to same issues, as I said you I have tested all I
> could with the latest 3.2 beta versions before.
>
> So I'm going back to the type-1 ntlm message issue (see my last messages
> with this subject)
>
> And my last question was :
>
>> I think the link SQUID -> IIS6 RPC PROXY is represented by the
>> cache_peer line on my squid.conf, and I don't know if
>> client_persistent_connections
> and
>> server_persistent_connections parameters affect cache_peer too ?

It does.

Amos
Received on Wed Mar 14 2012 - 10:33:07 MDT