Re: [squid-users] Reverse proxy for Lync

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 30 Aug 2012 01:01:01 +1200

On 29/08/2012 9:53 p.m., FILHOL Laurent wrote:
> Hello all,
> Is there someone here who succeed in setting up squid as reverse proxy for MS lync?
>
> I'm trying but I'm locked on an issue:
> Squid seems to block the personnal digital cert the lync server is sending to the remote Client.
> I mean, when the Client have got this personnal cert ( because, the client was already connecting on our internal network and retrieved the digital cert) urls are accessed , all was fine. But when the client haven't the digital cert It can't get it and failed to access the URLs :
> I' haven't errors on logs only these 401 return from lync server:
> -----------------------------------------------------------
> 125 90.80.x.x TCP_MISS/200 32633 POST https://lync.toto.com/CertProv/CertProvisioningService.svc/mex - FIRST_UP_PARENT/LyncServer application/soap+xml
> 3 90.80.x.x TCP_MISS/401 7607 POST https://lync.toto.com/WebTicket/WebTicketService.svc/mex - FIRST_UP_PARENT/LyncServer text/html
> 3 90.80.x.x TCP_MISS/401 5809 POST https://lync.toto.com/CertProv/CertProvisioningService.svc - FIRST_UP_PARENT/LyncServer text/html
> 3 90.80.x.x TCP_MISS/401 7607 POST https://lync.toto.com/WebTicket/WebTicketService.svc/mex - FIRST_UP_PARENT/LyncServer text/html
> 3 90.80.x.x TCP_MISS/401 5809 POST https://lync.toto.com/CertProv/CertProvisioningService.svc - FIRST_UP_PARENT/LyncServer text/html
> 7 90.80.x.x TCP_MISS/401 7604 POST https://lync.toto.com/groupexpansion/service.svc/mex - FIRST_UP_PARENT/LyncServer text/html
> 3 90.80.x.x TCP_MISS/401 7604 POST https://lync.toto.com/groupexpansion/service.svc/mex - FIRST_UP_PARENT/LyncServer text/html
> 3 90.80.x.x TCP_MISS/401 7604 POST https://lync.toto.com/groupexpansion/service.svc/mex - FIRST_UP_PARENT/LyncServer text/html
> 2040 90.80.x.x TCP_MISS/200 21261 POST https://lync.toto.com/RgsClients/AgentService.svc/mex - FIRST_UP_PARENT/LyncServer application/soap+xml
> -------------------------------------------------------------

Shows Squid apparently relaying requests and responses okay. But the
Lync server repeatedly requesting authentication.

What type of "digital cert" are you talking about and where is it being
transmitted? ... TLS client cert from client? TLS client cert from
Squid? SOAP+XML POST body object? custom header object? or
authentication header credentials?

>
> Here is pair of my squid.conf
> ----------------------------------------------------------
> debug_options ALL,1
> https_port 10.X.X.X:443 cert=/home/rproxy/certs/certlync.pem key=/home/rproxy/certs/lync.key cafile=/home/rproxy/certs/thawteca.pem vhost
> ignore_expect_100 on
> cache_peer lync parent 4443 0 no-query originserver login=PASS connection-auth=off ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=LyncServer
> acl LyncAcl dstdomain lync xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> cache_peer_access LyncServer allow LyncAcl
> ----------------------------------------------------------
>
> I'm suspecting a issue on authentication, but again I'have no proof , no error in logs.
> If you have an idea on which direction to look , to get more vervbose logs, or better :), the solution with the right squid.conf..
> Thanks,
> Laurent
>

Which verison of Squid?
  Which authentication type is the Lync server requesting?
  Is the client presenting any credentials?

Amos
Received on Wed Aug 29 2012 - 13:01:12 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 29 2012 - 12:00:08 MDT