RE: [squid-users] Reverse proxy for Lync

> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Envoyé : mercredi 29 août 2012 15:01
> À : squid-users_at_squid-cache.org
> Objet : Re: [squid-users] Reverse proxy for Lync
>
> On 29/08/2012 9:53 p.m., FILHOL Laurent wrote:
> > Hello all,
> > Is there someone here who succeed in setting up squid as reverse
> proxy for MS lync?
> >
> > I'm trying but I'm locked on an issue:
> > Squid seems to block the personnal digital cert the lync server is
> sending to the remote Client.
> > I mean, when the Client have got this personnal cert ( because, the
> client was already connecting on our internal network and retrieved the
> digital cert) urls are accessed , all was fine. But when the client
> haven't the digital cert It can't get it and failed to access the URLs
> :
> > I' haven't errors on logs only these 401 return from lync server:
> > -----------------------------------------------------------
> > 125 90.80.x.x TCP_MISS/200 32633 POST
> https://lync.toto.com/CertProv/CertProvisioningService.svc/mex -
> FIRST_UP_PARENT/LyncServer application/soap+xml
> > 3 90.80.x.x TCP_MISS/401 7607 POST
> https://lync.toto.com/WebTicket/WebTicketService.svc/mex -
> FIRST_UP_PARENT/LyncServer text/html
> > 3 90.80.x.x TCP_MISS/401 5809 POST
> https://lync.toto.com/CertProv/CertProvisioningService.svc -
> FIRST_UP_PARENT/LyncServer text/html
> > 3 90.80.x.x TCP_MISS/401 7607 POST
> https://lync.toto.com/WebTicket/WebTicketService.svc/mex -
> FIRST_UP_PARENT/LyncServer text/html
> > 3 90.80.x.x TCP_MISS/401 5809 POST
> https://lync.toto.com/CertProv/CertProvisioningService.svc -
> FIRST_UP_PARENT/LyncServer text/html
> > 7 90.80.x.x TCP_MISS/401 7604 POST
> https://lync.toto.com/groupexpansion/service.svc/mex -
> FIRST_UP_PARENT/LyncServer text/html
> > 3 90.80.x.x TCP_MISS/401 7604 POST
> https://lync.toto.com/groupexpansion/service.svc/mex -
> FIRST_UP_PARENT/LyncServer text/html
> > 3 90.80.x.x TCP_MISS/401 7604 POST
> https://lync.toto.com/groupexpansion/service.svc/mex -
> FIRST_UP_PARENT/LyncServer text/html
> > 2040 90.80.x.x TCP_MISS/200 21261 POST
> > https://lync.toto.com/RgsClients/AgentService.svc/mex -
> > FIRST_UP_PARENT/LyncServer application/soap+xml
> > -------------------------------------------------------------
>
> Shows Squid apparently relaying requests and responses okay. But the
> Lync server repeatedly requesting authentication.

Yes apparently relaying request and responses are okay. BUT when the client have got the digital cert it get code 200 instead of code 401 of URLs asking here.
>
> What type of "digital cert" are you talking about and where is it being
> transmitted? ... TLS client cert from client? TLS client cert from
> Squid? SOAP+XML POST body object? custom header object? or
> authentication header credentials?
Lyncserver is issuing and sending the digital certificate to the client.(X509 cert)

>
> >
> > Here is pair of my squid.conf
> > ----------------------------------------------------------
> > debug_options ALL,1
> > https_port 10.X.X.X:443 cert=/home/rproxy/certs/certlync.pem
> > key=/home/rproxy/certs/lync.key
> cafile=/home/rproxy/certs/thawteca.pem
> > vhost
> > ignore_expect_100 on
> > cache_peer lync parent 4443 0 no-query originserver login=PASS
> > connection-auth=off ssl sslflags=DONT_VERIFY_PEER front-end-
> https=auto
> > name=LyncServer acl LyncAcl dstdomain lync
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > cache_peer_access LyncServer allow LyncAcl
> > ----------------------------------------------------------
> >
> > I'm suspecting a issue on authentication, but again I'have no proof ,
> no error in logs.
> > If you have an idea on which direction to look , to get more vervbose
> logs, or better :), the solution with the right squid.conf..
> > Thanks,
> > Laurent
> >
>
> Which verison of Squid?
Version 3.1.6
> Which authentication type is the Lync server requesting?
Basic authentication
> Is the client presenting any credentials?
Yes , but typing username/password isn't taking into account and credential window is coming over and over.
>
>
> Amos

Is there a mean to increase the level of logs?
Thanks,
Laurent
Received on Wed Aug 29 2012 - 15:33:56 MDT