RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

From: Clem <clemfree_at_free.fr>
Date: Mon, 26 Mar 2012 14:31:57 +0200

Hi Guido,

I’ve installed last released of 3.1.19 (squid-3.1.19-20120325-r10444), and
I’ve the same error when connecting with windows7, server is unaivalable,
the difference is I don’t have badrequest and Connection_Dropped
DefaultAppPool in IIS6 httperr log.

The only thing I can see in the logs is TCP MISS 200, in squid and IIS.

With XP clients, that works …

Here is my squid.conf :

----------------------------------------->

visible_hostname external_mail_url
ignore_expect_100 on
request_header_access Accept-Encoding deny all
debug_options ALL,1
https_port ip_of_squid:443 accel cert=/usr/local/squid/etc/certifs/cert.pem
cafile=/usr/local/squid/etc/certifs/ca_cert.pem \
defaultsite= external_mail_url
cache_peer  ip_of_exchange parent 443 0 no-query proxy-only name=owaserver
originserver \
ssl sslflags=DONT_VERIFY_PEER login=DOMAIN\Administrateur:adminpassword \
sslcert=/usr/local/squid/etc/certifs/cert.pem
sslcafile=/usr/local/squid/etc/certifs/ca_cert.pem
acl 0.0.0.0 src all
acl owa dstdomain external_mail_url
cache_peer_access owaserver allow owa
never_direct allow owa
http_access allow owa
http_access deny all
miss_access allow owa
miss_access deny all

----------------------------------------->

On exchange, outlook anywhere (rpcproxy) is on basic and ntlm for IIS auth,
for client auth, only ntlm. With XP, squid auth in basic then client auth in
ntlm, and that works. In windows7, after a long time I’ve got this issue :
server is unaivalable.

I don’t know what’s happening, I think perhaps it’s a http1.1 or 1.2 issue.

Thanks,

Clem

-------- Message original --------
Sujet:
R: R: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
exchange2007 with ntlm
Date :
Sun, 25 Mar 2012 17:28:25 +0000
De :
Guido Serassio <guido.serassio_at_acmeconsulting.it>
Pour :
Clem <clemfree_at_free.fr>

Hi,

Don't forget to apply the changes listed in this discussion:
http://www.squid-cache.org/mail-archive/squid-dev/201101/0124.html

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135               Fax. : +39.011.9781115
Email: guido.serassio_at_acmeconsulting.it
WWW: http://www.acmeconsulting.it

> -----Messaggio originale-----
> Da: Clem [mailto:clemfree_at_free.fr]
> Inviato: domenica 25 marzo 2012 15.33
> A: Guido Serassio
> Oggetto: Re: R: TR: TR: [squid-users] https analyze, squid rpc proxy to
> rpc proxy ii6 exchange2007 with ntlm
>
> Hi Guido !
>
> Thank you very much for your answer ! I'me using 3.2.0.16, I'll test
> with 3.1.19 then !
>
> Have a good day
>
> Clem
>
> Le 25/03/2012 14:19, Guido Serassio a écrit :
> > Hi Clem,
> >
> > I hav already verified that Windows Vista and 7 talks differently to
> Exchange.
> > The patched 3.1.19 build fixed my problem, and also Mac EWS clients
> seems to almost work.
> > I'm waiting for 3.2 STABLE before run new tests on it.
> >
> > Regards
> >
> > Guido Serassio
> > Acme Consulting S.r.l.
> > Microsoft Silver Certified Partner
> > VMware Professional Partner
> > Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> > Tel. : +39.011.9530135               Fax. : +39.011.9781115
> > Email: guido.serassio_at_acmeconsulting.it
> > WWW: http://www.acmeconsulting.it
> >
> >
> >> -----Messaggio originale-----
> >> Da: Clem [mailto:clemfree_at_free.fr]
> >> Inviato: venerdì 23 marzo 2012 15.48
> >> A: squid-users_at_squid-cache.org
> >> Oggetto: RE: TR: TR: [squid-users] https analyze, squid rpc proxy to
> rpc
> >> proxy ii6 exchange2007 with ntlm
> >>
> >> Back with my windows7 test, and failed ... I dunno exactly why, but It
> >> times
> >> out with a "server is is unavailable".
> >>
> >> In my IIS httperr log I have :
> >>
> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1 BadRequest
> >> DefaultAppPool
> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1
> >> Connection_Dropped DefaultAppPool
> >>
> >> Ok with XP, not with windows7 and vista I guess
> >>
> >> Can you help me with this ?
> >> Thx
> >>
> >> Clem
> >>
> >> -----Message d'origine-----
> >> De : Clem [mailto:clemfree_at_free.fr]
> >> Envoyé : jeudi 22 mars 2012 21:40
> >> À : squid-users_at_squid-cache.org
> >> Objet : Re: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc
> >> proxy ii6 exchange2007 with ntlm
> >>
> >> For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a test
> >> client
> >> on XP, I'll test a client on windows7.
> >>
> >> No config for blackberry devices, they don't use activesync but the
> >> connection to blackberry server directly connected to our exchange.
> >>
> >>
> >>
> >> Le 22/03/2012 15:50, Clem a écrit :
> >>> I've tested activesync with this tool
> >>> https://store.accessmylan.com/main/diagnostic-tools , all is OK ! I
> will
> >> be
> >>> able to put my front-end squid proxy for exchange 2007 in production
> >> soon
> >> !
> >>>
> >>> -----Message d'origine-----
> >>> De : Clem [mailto:clemfree_at_free.fr]
> >>> Envoyé : jeudi 22 mars 2012 14:40
> >>> À : 'Clem'; 'squid-users_at_squid-cache.org'
> >>> Cc : 'Amos Jeffries'; 'squid-users_at_squid-cache.org'
> >>> Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to rpc
> >> proxy
> >>> ii6 exchange2007 with ntlm
> >>>
> >>> Forgot the powershell command :
> >>>
> >>> get-outlookanywhere | set-outlookanywhere -IISauthentication
> basic,Ntlm
> >>>
> >>> Infos there :
> >>>
> >> http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-
> >> anywhere-
> >>> ntlm-authentication-for-domain-based-and-workgroup-based-computers/
> >>>
> >>> -----Message d'origine-----
> >>> De : Clem [mailto:clemfree_at_free.fr]
> >>> Envoyé : jeudi 22 mars 2012 14:32
> >>> À : squid-users_at_squid-cache.org
> >>> Cc : Amos Jeffries; squid-users_at_squid-cache.org Objet : RE: TR:
> >>> [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> >> exchange2007
> >>> with ntlm
> >>>
> >>> Hello all
> >>>
> >>> I'm glad to inform you that's I have found a workaround solution for
> >> outlook
> >>> anywhere client via NTLM.
> >>> I really didn't want to change any config of my clients outlook, who
> are
> >>> actually configured on NTLM auth via Outlook RPC Proxy settings.
> >>>
> >>> Outlook Anywhere is configured in NTLM.
> >>>
> >>> Recently I have found that the main problem with squid was the double
> >> hop
> >>> NTLM.
> >>>
> >>> So I though a different way :  NTLM Clients credentials ->   SQUID ->
> >> Basic
> >>> Squid Auth ->   IIS RPC PROXY ->   NTLM client Credentials carried by
> >> squid
> >> ->
> >>> Outlook Anywhere
> >>>
> >>> And that works !! The trick is to enable both "Integrated Windows
> >>> Authentication" (NTLM) AND "Basic authentication" on the Rpc virtual
> >>> directory of IIS (6 for my own).
> >>> On Squid you have to use login:DOMAIN\user:password to send a
> credential
> >>> that can auth (I have used Admin one). Dunno if it's secure to use AD
> >> admin
> >>> user/pass directly in squid.conf ?
> >>> Anyway that works so I'll continue to test now with that config.
> >>>
> >>> Now I've to test activesync with Iphone, and after with my Blackberry
> >> Server
> >>> Express.
> >>>
> >>> I can paste you some of my configurations if you need
> >>>
> >>> Regards
> >>>
> >>> Clem
> >>>
> >>>
> >>>
> >>> -----Message d'origine-----
> >>> De : Guido Serassio [mailto:guido.serassio_at_acmeconsulting.it]
> >>> Envoyé : dimanche 18 mars 2012 12:36
> >>> À : clemfree_at_free.fr
> >>> Cc : Amos Jeffries; squid-users_at_squid-cache.org Objet : R: TR:
> >> [squid-users]
> >>> https analyze, squid rpc proxy to rpc proxy ii6
> >>> exchange2007 with ntlm
> >>>
> >>> Hi Clem,
> >>>
> >>> Currently it seems that a fully working reverse Proxy Open Source
> >> solution
> >>> for Exchange 2007 and 2010 is not available.
> >>>
> >>> Squid is really near to be fully functional, but there are still some
> >>> problems.
> >>> Look my comments in this bug:
> >>> http://bugs.squid-cache.org/show_bug.cgi?id=3141
> >>>
> >>> Currently I'm running a patched Squid 3.1.19 with http 1.1 support
> >> enabled
> >>> in front of a Exchange 2010 Server.
> >>> RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry
> >>> clients is still problematic.
> >>>
> >>> I have tried also to use 3.2, but things seems to be worse: RPC
> doesn't
> >> work
> >>> at all.
> >>>
> >>> Regards
> >>>
> >>> Guido Serassio
> >>> Acme Consulting S.r.l.
> >>> Microsoft Silver Certified Partner
> >>> VMware Professional Partner
> >>> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> >>> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> >>> Email: guido.serassio_at_acmeconsulting.it
> >>> WWW: http://www.acmeconsulting.it
> >>>
> >>>
> >>>> -----Messaggio originale-----
> >>>> Da: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> >>>> Inviato: venerdì 16 marzo 2012 11.54
> >>>> A: squid-users_at_squid-cache.org
> >>>> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc
> >>>> proxy
> >>>> ii6 exchange2007 with ntlm
> >>>>
> >>>> On 14/03/2012 11:32 p.m., Clem wrote:
> >>>>> Hello,
> >>>>>
> >>>>> Ok so I know exactly why squid can't forward ntlm credentials and
> >>>>> stop
> >>>> at
> >>>>> type1. It's facing the double hop issue, ntlm credentials can be
> >>>>> sent
> >>>> only
> >>>>> on one hop, and is lost with 2 hops like : client ->    squid (hop1)
> >>>>> ->
> >>>> IIS6
> >>>>> rpx proxy (hop2) ->    exchange 2007
> >>>>>
> >>>>> That's why when I connect directly to my iis6 rpc proxy that works
> >>>>> and
> >>>> when
> >>>>> I connect through squid that request login/pass again and again. And
> >>>>> we
> >>>> can
> >>>>> clearly see that on https analyzes.
> >>>>>
> >>>>> ISA server has a workaround about this double hop issue as I have
> >>>>> wrote
> >>>> in
> >>>>> my last mail, I don't know if squid can act like this.
> >>>>>
> >>>>> I'm searching atm how to set iis6 perhaps to resolve this problem,
> >>>>> but I don't want to "break" my exchange so I've to do my tests very
> >>>>> carefully
> >>>> Cheers. I've added a mention of this to the NTLM issiues wiki page
> now
> >>>> for others to find along with the archive of these messages.
> >>>>
> >>>> Amos
> >
Received on Mon Mar 26 2012 - 12:32:04 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 27 2012 - 12:00:03 MDT