RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

From: Clem <clemfree_at_free.fr>
Date: Tue, 27 Mar 2012 10:31:24 +0200

Hi Amos,

Administrateur is the french AD name for Administrator :)

-> Also, originserver is a bit magic. login= + originserver will erase
*www-auth* headers as well and place Basic auth credentials in the www-auth (origin server auth) header.

I'm ok with that, cause I want squid to auth in basic at first !

-> This is a confusing definition for the ACL *name* "0.0.0.0".

  IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address)

  ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0

Thanks for the info, I've modified my cfg.

But I still have the issue with Windows7, TCP miss 200 on logs, and "server is unavailable" with outlook, whereas with XP that works.

Regards

Clem

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Envoyé : mardi 27 mars 2012 04:02
À : squid-users_at_squid-cache.org
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 27.03.2012 01:31, Clem wrote:
> Hi Guido,
>
> I’ve installed last released of 3.1.19 (squid-3.1.19-20120325-r10444),
> and I’ve the same error when connecting with windows7, server is
> unaivalable, the difference is I don’t have badrequest and
> Connection_Dropped DefaultAppPool in IIS6 httperr log.
>
> The only thing I can see in the logs is TCP MISS 200, in squid and
> IIS.
>
> With XP clients, that works …
>
> Here is my squid.conf :
>
> ----------------------------------------->
>
> visible_hostname external_mail_url
> ignore_expect_100 on
> request_header_access Accept-Encoding deny all debug_options ALL,1
> https_port ip_of_squid:443 accel
> cert=/usr/local/squid/etc/certifs/cert.pem
> cafile=/usr/local/squid/etc/certifs/ca_cert.pem \ defaultsite=
> external_mail_url cache_peer ip_of_exchange parent 443 0 no-query
> proxy-only name=owaserver originserver \ ssl sslflags=DONT_VERIFY_PEER
> login=DOMAIN\Administrateur:adminpassword \

Is this actually "Administrateur"? or typo of the US-centric "Administrator"?

Also, originserver is a bit magic. login= + originserver will erase
*www-auth* headers as well and place Basic auth credentials in the www-auth (origin server auth) header.

> sslcert=/usr/local/squid/etc/certifs/cert.pem
> sslcafile=/usr/local/squid/etc/certifs/ca_cert.pem
> acl 0.0.0.0 src all

This is a confusing definition for the ACL *name* "0.0.0.0".

  IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address)

  ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0

> acl owa dstdomain external_mail_url
> cache_peer_access owaserver allow owa
> never_direct allow owa
> http_access allow owa
> http_access deny all
> miss_access allow owa
> miss_access deny all
>
> ----------------------------------------->
>
> On exchange, outlook anywhere (rpcproxy) is on basic and ntlm for IIS
> auth, for client auth, only ntlm. With XP, squid auth in basic then
> client auth in ntlm, and that works. In windows7, after a long time
> I’ve got this issue :
> server is unaivalable.
>
> I don’t know what’s happening, I think perhaps it’s a http1.1 or 1.2
> issue.
>
> Thanks,
>
> Clem
>
> -------- Message original --------
> Sujet:
> R: R: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc
> proxy ii6
> exchange2007 with ntlm
> Date :
> Sun, 25 Mar 2012 17:28:25 +0000
> De :
> Guido Serassio <guido.serassio_at_acmeconsulting.it>
> Pour :
> Clem <clemfree_at_free.fr>
>
> Hi,
>
> Don't forget to apply the changes listed in this discussion:
> http://www.squid-cache.org/mail-archive/squid-dev/201101/0124.html
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Silver Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel.
> : +39.011.9530135 Fax. : +39.011.9781115
> Email: guido.serassio_at_acmeconsulting.it
> WWW: http://www.acmeconsulting.it
>
>
>> -----Messaggio originale-----
>> Da: Clem [mailto:clemfree_at_free.fr]
>> Inviato: domenica 25 marzo 2012 15.33
>> A: Guido Serassio
>> Oggetto: Re: R: TR: TR: [squid-users] https analyze, squid rpc proxy
>> to rpc proxy ii6 exchange2007 with ntlm
>>
>> Hi Guido !
>>
>> Thank you very much for your answer ! I'me using 3.2.0.16, I'll test
>> with 3.1.19 then !
>>
>> Have a good day
>>
>> Clem
>>
>> Le 25/03/2012 14:19, Guido Serassio a écrit :
>> > Hi Clem,
>> >
>> > I hav already verified that Windows Vista and 7 talks differently
>> to
>> Exchange.
>> > The patched 3.1.19 build fixed my problem, and also Mac EWS
>> clients
>> seems to almost work.
>> > I'm waiting for 3.2 STABLE before run new tests on it.
>> >
>> > Regards
>> >
>> > Guido Serassio
>> > Acme Consulting S.r.l.
>> > Microsoft Silver Certified Partner
>> > VMware Professional Partner
>> > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
>> > Tel. : +39.011.9530135 Fax. : +39.011.9781115
>> > Email: guido.serassio_at_acmeconsulting.it
>> > WWW: http://www.acmeconsulting.it
>> >
>> >
>> >> -----Messaggio originale-----
>> >> Da: Clem [mailto:clemfree_at_free.fr]
>> >> Inviato: venerdì 23 marzo 2012 15.48
>> >> A: squid-users_at_squid-cache.org
>> >> Oggetto: RE: TR: TR: [squid-users] https analyze, squid rpc proxy
>> to
>> rpc
>> >> proxy ii6 exchange2007 with ntlm
>> >>
>> >> Back with my windows7 test, and failed ... I dunno exactly why,
>> but It
>> >> times
>> >> out with a "server is is unavailable".
>> >>
>> >> In my IIS httperr log I have :
>> >>
>> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1
>> BadRequest
>> >> DefaultAppPool
>> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1
>> >> Connection_Dropped DefaultAppPool
>> >>
>> >> Ok with XP, not with windows7 and vista I guess
>> >>
>> >> Can you help me with this ?
>> >> Thx
>> >>
>> >> Clem
>> >>
>> >> -----Message d'origine-----
>> >> De : Clem [mailto:clemfree_at_free.fr] Envoyé : jeudi 22 mars 2012
>> >> 21:40 À : squid-users_at_squid-cache.org Objet : Re: TR: TR:
>> >> [squid-users] https analyze, squid rpc proxy
>> to rpc
>> >> proxy ii6 exchange2007 with ntlm
>> >>
>> >> For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a
>> test
>> >> client
>> >> on XP, I'll test a client on windows7.
>> >>
>> >> No config for blackberry devices, they don't use activesync but
>> the
>> >> connection to blackberry server directly connected to our
>> exchange.
>> >>
>> >>
>> >>
>> >> Le 22/03/2012 15:50, Clem a écrit :
>> >>> I've tested activesync with this tool
>> >>> https://store.accessmylan.com/main/diagnostic-tools , all is OK
>> ! I
>> will
>> >> be
>> >>> able to put my front-end squid proxy for exchange 2007 in
>> production
>> >> soon
>> >> !
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Clem [mailto:clemfree_at_free.fr] Envoyé : jeudi 22 mars 2012
>> >>> 14:40 À : 'Clem'; 'squid-users_at_squid-cache.org'
>> >>> Cc : 'Amos Jeffries'; 'squid-users_at_squid-cache.org'
>> >>> Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to
>> rpc
>> >> proxy
>> >>> ii6 exchange2007 with ntlm
>> >>>
>> >>> Forgot the powershell command :
>> >>>
>> >>> get-outlookanywhere | set-outlookanywhere -IISauthentication
>> basic,Ntlm
>> >>>
>> >>> Infos there :
>> >>>
>> >>
>> http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-
>> >> anywhere-
>> >>>
>> ntlm-authentication-for-domain-based-and-workgroup-based-computers/
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Clem [mailto:clemfree_at_free.fr] Envoyé : jeudi 22 mars 2012
>> >>> 14:32 À : squid-users_at_squid-cache.org Cc : Amos Jeffries;
>> >>> squid-users_at_squid-cache.org Objet : RE: TR:
>> >>> [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
>> >> exchange2007
>> >>> with ntlm
>> >>>
>> >>> Hello all
>> >>>
>> >>> I'm glad to inform you that's I have found a workaround solution
>> for
>> >> outlook
>> >>> anywhere client via NTLM.
>> >>> I really didn't want to change any config of my clients outlook,
>> who
>> are
>> >>> actually configured on NTLM auth via Outlook RPC Proxy settings.
>> >>>
>> >>> Outlook Anywhere is configured in NTLM.
>> >>>
>> >>> Recently I have found that the main problem with squid was the
>> double
>> >> hop
>> >>> NTLM.
>> >>>
>> >>> So I though a different way : NTLM Clients credentials ->
>> SQUID ->
>> >> Basic
>> >>> Squid Auth -> IIS RPC PROXY -> NTLM client Credentials
>> carried by
>> >> squid
>> >> ->
>> >>> Outlook Anywhere
>> >>>
>> >>> And that works !! The trick is to enable both "Integrated
>> Windows
>> >>> Authentication" (NTLM) AND "Basic authentication" on the Rpc
>> virtual
>> >>> directory of IIS (6 for my own).
>> >>> On Squid you have to use login:DOMAIN\user:password to send a
>> credential
>> >>> that can auth (I have used Admin one). Dunno if it's secure to
>> use AD
>> >> admin
>> >>> user/pass directly in squid.conf ?
>> >>> Anyway that works so I'll continue to test now with that config.
>> >>>
>> >>> Now I've to test activesync with Iphone, and after with my
>> Blackberry
>> >> Server
>> >>> Express.
>> >>>
>> >>> I can paste you some of my configurations if you need
>> >>>
>> >>> Regards
>> >>>
>> >>> Clem
>> >>>
>> >>>
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Guido Serassio [mailto:guido.serassio_at_acmeconsulting.it]
>> >>> Envoyé : dimanche 18 mars 2012 12:36 À : clemfree_at_free.fr Cc :
>> >>> Amos Jeffries; squid-users_at_squid-cache.org Objet : R: TR:
>> >> [squid-users]
>> >>> https analyze, squid rpc proxy to rpc proxy ii6
>> >>> exchange2007 with ntlm
>> >>>
>> >>> Hi Clem,
>> >>>
>> >>> Currently it seems that a fully working reverse Proxy Open
>> Source
>> >> solution
>> >>> for Exchange 2007 and 2010 is not available.
>> >>>
>> >>> Squid is really near to be fully functional, but there are still
>> some
>> >>> problems.
>> >>> Look my comments in this bug:
>> >>> http://bugs.squid-cache.org/show_bug.cgi?id=3141
>> >>>
>> >>> Currently I'm running a patched Squid 3.1.19 with http 1.1
>> support
>> >> enabled
>> >>> in front of a Exchange 2010 Server.
>> >>> RPC over HTTPS seems to work fine, while EWS from Apple and
>> BlackBerry
>> >>> clients is still problematic.
>> >>>
>> >>> I have tried also to use 3.2, but things seems to be worse: RPC
>> doesn't
>> >> work
>> >>> at all.
>> >>>
>> >>> Regards
>> >>>
>> >>> Guido Serassio
>> >>> Acme Consulting S.r.l.
>> >>> Microsoft Silver Certified Partner VMware Professional Partner
>> >>> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
>> >>> Tel. : +39.011.9530135 Fax. : +39.011.9781115
>> >>> Email: guido.serassio_at_acmeconsulting.it
>> >>> WWW: http://www.acmeconsulting.it
>> >>>
>> >>>
>> >>>> -----Messaggio originale-----
>> >>>> Da: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
>> >>>> Inviato: venerdì 16 marzo 2012 11.54
>> >>>> A: squid-users_at_squid-cache.org
>> >>>> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy
>> to rpc
>> >>>> proxy
>> >>>> ii6 exchange2007 with ntlm
>> >>>>
>> >>>> On 14/03/2012 11:32 p.m., Clem wrote:
>> >>>>> Hello,
>> >>>>>
>> >>>>> Ok so I know exactly why squid can't forward ntlm credentials
>> and
>> >>>>> stop
>> >>>> at
>> >>>>> type1. It's facing the double hop issue, ntlm credentials can
>> be
>> >>>>> sent
>> >>>> only
>> >>>>> on one hop, and is lost with 2 hops like : client -> squid
>> (hop1)
>> >>>>> ->
>> >>>> IIS6
>> >>>>> rpx proxy (hop2) -> exchange 2007
>> >>>>>
>> >>>>> That's why when I connect directly to my iis6 rpc proxy that
>> works
>> >>>>> and
>> >>>> when
>> >>>>> I connect through squid that request login/pass again and
>> again. And
>> >>>>> we
>> >>>> can
>> >>>>> clearly see that on https analyzes.
>> >>>>>
>> >>>>> ISA server has a workaround about this double hop issue as I
>> have
>> >>>>> wrote
>> >>>> in
>> >>>>> my last mail, I don't know if squid can act like this.
>> >>>>>
>> >>>>> I'm searching atm how to set iis6 perhaps to resolve this
>> problem,
>> >>>>> but I don't want to "break" my exchange so I've to do my tests
>> very
>> >>>>> carefully
>> >>>> Cheers. I've added a mention of this to the NTLM issiues wiki
>> page
>> now
>> >>>> for others to find along with the archive of these messages.
>> >>>>
>> >>>> Amos
>> >
Received on Tue Mar 27 2012 - 08:31:33 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 28 2012 - 12:00:04 MDT