Search squid archive

Re: TR: TR: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a test client on XP, I'll test a client on windows7.

No config for blackberry devices, they don't use activesync but the connection to blackberry server directly connected to our exchange.



Le 22/03/2012 15:50, Clem a écrit :
I've tested activesync with this tool
https://store.accessmylan.com/main/diagnostic-tools , all is OK ! I will be
able to put my front-end squid proxy for exchange 2007 in production soon !


-----Message d'origine-----
De : Clem [mailto:clemfree@xxxxxxx]
Envoyé : jeudi 22 mars 2012 14:40
À : 'Clem'; 'squid-users@xxxxxxxxxxxxxxx'
Cc : 'Amos Jeffries'; 'squid-users@xxxxxxxxxxxxxxx'
Objet : RE: TR:  https analyze, squid rpc proxy to rpc proxy
ii6 exchange2007 with ntlm

Forgot the powershell command :

get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm

Infos there :
http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-anywhere-
ntlm-authentication-for-domain-based-and-workgroup-based-computers/

-----Message d'origine-----
De : Clem [mailto:clemfree@xxxxxxx]
Envoyé : jeudi 22 mars 2012 14:32
À : squid-users@xxxxxxxxxxxxxxx
Cc : Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Objet : RE: TR:
 https analyze, squid rpc proxy to rpc proxy ii6 exchange2007
with ntlm

Hello all

I'm glad to inform you that's I have found a workaround solution for outlook
anywhere client via NTLM.
I really didn't want to change any config of my clients outlook, who are
actually configured on NTLM auth via Outlook RPC Proxy settings.

Outlook Anywhere is configured in NTLM.

Recently I have found that the main problem with squid was the double hop
NTLM.

So I though a different way :  NTLM Clients credentials ->  SQUID ->  Basic
Squid Auth ->  IIS RPC PROXY ->  NTLM client Credentials carried by squid ->
Outlook Anywhere

And that works !! The trick is to enable both "Integrated Windows
Authentication" (NTLM) AND "Basic authentication" on the Rpc virtual
directory of IIS (6 for my own).
On Squid you have to use login:DOMAIN\user:password to send a credential
that can auth (I have used Admin one). Dunno if it's secure to use AD admin
user/pass directly in squid.conf ?
Anyway that works so I'll continue to test now with that config.

Now I've to test activesync with Iphone, and after with my Blackberry Server
Express.

I can paste you some of my configurations if you need

Regards

Clem



-----Message d'origine-----
De : Guido Serassio [mailto:guido.serassio@xxxxxxxxxxxxxxxxx]
Envoyé : dimanche 18 mars 2012 12:36
À : clemfree@xxxxxxx
Cc : Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Objet : R: TR: https analyze, squid rpc proxy to rpc proxy ii6
exchange2007 with ntlm

Hi Clem,

Currently it seems that a fully working reverse Proxy Open Source solution
for Exchange 2007 and 2010 is not available.

Squid is really near to be fully functional, but there are still some
problems.
Look my comments in this bug:
http://bugs.squid-cache.org/show_bug.cgi?id=3141

Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled
in front of a Exchange 2010 Server.
RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry
clients is still problematic.

I have tried also to use 3.2, but things seems to be worse: RPC doesn't work
at all.

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135               Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it


-----Messaggio originale-----
Da: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Inviato: venerdì 16 marzo 2012 11.54
A: squid-users@xxxxxxxxxxxxxxx
Oggetto: Re: TR:  https analyze, squid rpc proxy to rpc
proxy
ii6 exchange2007 with ntlm

On 14/03/2012 11:32 p.m., Clem wrote:
Hello,

Ok so I know exactly why squid can't forward ntlm credentials and
stop
at
type1. It's facing the double hop issue, ntlm credentials can be
sent
only
on one hop, and is lost with 2 hops like : client ->   squid (hop1)
->
IIS6
rpx proxy (hop2) ->   exchange 2007

That's why when I connect directly to my iis6 rpc proxy that works
and
when
I connect through squid that request login/pass again and again. And
we
can
clearly see that on https analyzes.

ISA server has a workaround about this double hop issue as I have
wrote
in
my last mail, I don't know if squid can act like this.

I'm searching atm how to set iis6 perhaps to resolve this problem,
but I don't want to "break" my exchange so I've to do my tests very
carefully
Cheers. I've added a mention of this to the NTLM issiues wiki page now
for others to find along with the archive of these messages.

Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux