Hi, We've got a peculiar problem which no matter what, I can't find any solution to. I'm hoping that somebody out there has had a similar experience and will be able to say "oh, that's easy!". Our site is trying to access flash videos on website http://www.healthtalkonline.org/Bones_joints/Rheumatoid_Arthritis/Topic/ 2209/Interview/1499/Clip/9712. Any PC sitting behind our firewall gets a connection error when trying to play the videos. As an experiment, I have taken a PC and put the PC in the DMZ along with squid. I'll call the squid server box A and the PC box B. Experiment 1. Setup: Browser on the box B talks to the correct port for squid on box A; box B's IP address is NATed to be visible to the outside world. Result: internet access to any URL is working; videos are playable on box B Conclusion: setup works fine when box B's private IP is made public Experiment 2. Setup: Browser on the box B talks to an incorrect port for squid box A; box B's IP address is NATed to be visible to the outside world. Result: no internet access is possible on box B. Conclusion: by only changing the port number of the proxy, we can rule out any "user" errors in messing up the proxy settings. Internet no longer works therefore the browser is correctly enforcing port 80 to go via squid. Experiment 3. Setup: Browser on the box B talks to the correct port for squid on box A; NATing is removed such that box B's IP address is no longer visible to the outside world. Result: internet access to any URL is working; videos are no longer playable on box B (connection error is the message in the flash player window) Conclusion: when box B's private IP is hidden, we can access any URL, but once the flash movie starts, some additional routing appears to take place from the flash server to the private IP of box B (which is no longer visible). I've done lots of searching and come up with various (potentially misleading) scenarios as to why this isn't working. My main theory is that this site is taking box B's private IP address and attempting to talk back to this private IP address for Flash content only on this particular website, and not the incoming NAT of the firewall. Looking around I've seen various references made to NAT-T especially VOIP over NAT failing. I've also found an article suggesting that squid doesn't handle HTTP 1.0 forms correctly (the header of the packets coming across contain the words "HTTP 1.0 POST"). It could be that we're stumped; as this only affects one website that we know of so far, I suspect that the squid developers (great bunch of people!) won't have cause to experience this issue yet. Any help appreciated. Ps I've tried squid 2.5, 2.6 and 2.7 with different configs from default to restrictive to allow everything through. Jason Walton This email and any files transmitted with it are confidential. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this email is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received.Incoming and outgoing email messages are routinely monitored for compliance with the Department of Healths policy on the use of electronic communications. For more information on the Department of Healths email policy, click http://www.dh.gov.uk/DHTermsAndConditions/fs/en?CONTENT_ID=4110945&chk=x1C3Zw The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free. Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
