Hi, We are migrating to Exchange from another Exchange-like product, and I still struggle with NTLM authentication for the remote users with Outlook (RCP over HTTPS). The setup is: - Firewall with Squid 2.6.18-1ubuntu3 (manually compiled to enable SSL) - Exchange in the LAN - Exchange-like product on the firewall, using Apache2 (still in production) I found some examples on the net to proxy certain URL's to the local Apache and all other to Exchange. For laptops, this setup works when I use Basic authentication, but that creates annoying password prompts when the laptop user is in the LAN. Squid.conf: visible_hostname mail.company.com persistent_connection_after_error on ############################################################################### # Exchange 2010 # extensions for Exchange RPC over HTTPS extension_methods RPC_IN_DATA RPC_OUT_DATA # We listen on 195.xxx.xxx.xxx, our primary line # mail.company.com.crt is an official certificate https_port 195.xxx.xxx.xxx:443 cert=/etc/ssl/keys/mail.company.com.crt key=/etc/ssl/keys/mail.company.com.pem defaultsite=mail.company.com # We also listen on 212.xxx.xxx.xxx, a 2nd line for testing ActiveSync on Exchange # 212.xxx.xxx.xxx.crt is a self generated certificate https_port 212.xxx.xxx.xxx:443 cert=/etc/ssl/keys/212.xxx.xxx.xxx.crt key=/etc/ssl/keys/212.xxx.xxx.xxx.pem defaultsite=212.xxx.xxx.xxx # localhost has Apache running, 192.168.xxx.xxx is the Exchange Server cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/ssl/keys/mail.company.com.pem sslkey=/etc/ssl/keys/mail.company.com.pem name=webServer cache_peer 192.168.xxx.xxx parent 443 0 proxy-only no-query no-digest originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER name=exchangeServer # Send the ActiveSync on the main line to the local Apache for the Exchange-like product, which is still in use acl web_url url_regex -i mail.company.com/Microsoft-Server-ActiveSync # Send the webserver URLs to the webserver cache_peer_access webServer allow web_url # Send everything else to the Exchange server cache_peer_access exchangeServer deny web_url # This is to protect ourselves never_direct allow web_url # settings caching and logging redirect_rewrites_host_header off cache_mem 32 MB maximum_object_size_in_memory 128 KB cache_log none cache_store_log none debug_options ALL, 8 access_log /var/log/squid/access.log squid ############################################################################### # ACL - required to allow acl all src 0.0.0.0/0.0.0.0 http_access allow all miss_access allow all So far this setup works for ActiveSync via the 2nd line. Outlook Anywhere (RPC over HTTPS) only gives me this is access.log: 1265109372.999 23 10.11.11.149 TCP_MISS/401 430 RPC_IN_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html 1265109372.999 20 10.11.11.149 TCP_MISS/401 430 RPC_OUT_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html Any thoughts on this setup? How to fix NTLM auth for laptop users? Thanks, Toni Van Remortel
