Just a thought - it's something I haven't implemented, but it might be worth you looking into (and hey, if it's useful to you let me know): I did read along the way that you can use SSH to do a port forward to the proxy server (there are some write-ups on this indexed in google). This allows you to secure the connection to the proxy. Although it wasn't specified in those articles, it seems reasonable to consider the possibility of maintaining user authentication through SSH. You could even require a client certificate, thus avoiding passwords altogether while maintaining relative security. Again, I haven't thought it out completely, just tossing out an idea for you to look into. David -----Original Message----- From: Matt Richards [mailto:matt@xxxxxxxxxxxxx] Sent: Friday, March 26, 2010 4:17 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Windows Authentication Helper client Hello, Does anybody know if any technique or application that will allow windows machines (XP and 7) to authenticate against a proxy when applications don't support proxy authentication. What I am looking for is an alternative to Novell's Client Trust, its an application that sits in the system tray and when a user attempts to use the proxy the proxy will connect back to the IP address of the requesting machine on a specific port and talk to the client trust application to establish what user is logged on to the machine. At the moment we have a number of authentication mechanisms setup, including Kerberos, NTLM, basic and a web based login form if the machine is not a member of our domain or logged into a guest account. This all works well most of the time but there are a few cases where the software just fails to work when it tries to connect and pointing the machine (IE or the software) at a proxy that doesn't require authentication work without issue. It also works if the machine is logged in as our guest user and the user authenticates to the web form as this doesn't require the software to authenticate as the proxy knows to map that IP address to the authenticated user. I have looked through the internet and thought about this for a while now and I still haven't really been able to come up with anything that doesn't involve writing our own application for the workstation and an authentication helper for squid. My programming skills are basic. There was one thought I had which was to write scripts to add an entry in a database (memcache) after a request for a page from a successful login and then check this database in one of the steps in attempting to identify the user. I would probably use storeurl_rewrite_program to update the database. Only issues with this is working out what I would set the timeout to (users bounce around machines here quite a lot), if this would slow down the proxy too much (~120 requests per second for each proxy), and if the application is an exam application (downloads content, no network usage for 40 mins while they answer questions, then uploads the results) so it times out before the upload and also for this to work they will have to request content and successfully authentication before they will have a cache entry. Sorry for the long email, if anybody has any ideas I would really like to hear about them. Cheers, Matt.