RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 27.03.2012 01:31, Clem wrote:
> Hi Guido,
>
> I’ve installed last released of 3.1.19 
> (squid-3.1.19-20120325-r10444), and
> I’ve the same error when connecting with windows7, server is 
> unaivalable,
> the difference is I don’t have badrequest and Connection_Dropped
> DefaultAppPool in IIS6 httperr log.
>
> The only thing I can see in the logs is TCP MISS 200, in squid and 
> IIS.
>
> With XP clients, that works …
>
> Here is my squid.conf :
>
> ----------------------------------------->
>
> visible_hostname external_mail_url
> ignore_expect_100 on
> request_header_access Accept-Encoding deny all
> debug_options ALL,1
> https_port ip_of_squid:443 accel 
> cert=/usr/local/squid/etc/certifs/cert.pem
> cafile=/usr/local/squid/etc/certifs/ca_cert.pem \
> defaultsite= external_mail_url
> cache_peer  ip_of_exchange parent 443 0 no-query proxy-only 
> name=owaserver
> originserver \
> ssl sslflags=DONT_VERIFY_PEER 
> login=DOMAIN\Administrateur:adminpassword \

Is this actually "Administrateur"? or typo of the US-centric 
"Administrator"?

Also, originserver is a bit magic. login= + originserver will erase 
*www-auth* headers as well and place Basic auth credentials in the 
www-auth (origin server auth) header.



> sslcert=/usr/local/squid/etc/certifs/cert.pem
> sslcafile=/usr/local/squid/etc/certifs/ca_cert.pem
> acl 0.0.0.0 src all

This is a confusing definition for the ACL *name* "0.0.0.0".

 IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address)

 ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0


> acl owa dstdomain external_mail_url
> cache_peer_access owaserver allow owa
> never_direct allow owa
> http_access allow owa
> http_access deny all
> miss_access allow owa
> miss_access deny all
>
> ----------------------------------------->
>
> On exchange, outlook anywhere (rpcproxy) is on basic and ntlm for IIS 
> auth,
> for client auth, only ntlm. With XP, squid auth in basic then client 
> auth in
> ntlm, and that works. In windows7, after a long time I’ve got this 
> issue :
> server is unaivalable.
>
> I don’t know what’s happening, I think perhaps it’s a http1.1 or 1.2 
> issue.
>
> Thanks,
>
> Clem
>
> -------- Message original --------
> Sujet:
> R: R: TR: TR:  https analyze, squid rpc proxy to rpc 
> proxy ii6
> exchange2007 with ntlm
> Date :
> Sun, 25 Mar 2012 17:28:25 +0000
> De :
> Guido Serassio <guido.serassio@xxxxxxxxxxxxxxxxx>
> Pour :
> Clem <clemfree@xxxxxxx>
>
> Hi,
>
> Don't forget to apply the changes listed in this discussion:
> http://www.squid-cache.org/mail-archive/squid-dev/201101/0124.html
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Silver Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> Email: guido.serassio@xxxxxxxxxxxxxxxxx
> WWW: http://www.acmeconsulting.it
>
>
> > -----Messaggio originale-----
> > Da: Clem [mailto:clemfree@xxxxxxx]
> > Inviato: domenica 25 marzo 2012 15.33
> > A: Guido Serassio
> > Oggetto: Re: R: TR: TR:  https analyze, squid rpc proxy 
> > to
> > rpc proxy ii6 exchange2007 with ntlm
> >
> > Hi Guido !
> >
> > Thank you very much for your answer ! I'me using 3.2.0.16, I'll test
> > with 3.1.19 then !
> >
> > Have a good day
> >
> > Clem
> >
> > Le 25/03/2012 14:19, Guido Serassio a écrit :
> > > Hi Clem,
> > >
> > > I hav already verified that Windows Vista and 7 talks differently 
> > to
> > Exchange.
> > > The patched 3.1.19 build fixed my problem, and also Mac EWS 
> > clients
> > seems to almost work.
> > > I'm waiting for 3.2 STABLE before run new tests on it.
> > >
> > > Regards
> > >
> > > Guido Serassio
> > > Acme Consulting S.r.l.
> > > Microsoft Silver Certified Partner
> > > VMware Professional Partner
> > > Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> > > Tel. : +39.011.9530135               Fax. : +39.011.9781115
> > > Email: guido.serassio@xxxxxxxxxxxxxxxxx
> > > WWW: http://www.acmeconsulting.it
> > >
> > >
> > >> -----Messaggio originale-----
> > >> Da: Clem [mailto:clemfree@xxxxxxx]
> > >> Inviato: venerdì 23 marzo 2012 15.48
> > >> A: squid-users@xxxxxxxxxxxxxxx
> > >> Oggetto: RE: TR: TR:  https analyze, squid rpc proxy 
> > to
> > rpc
> > >> proxy ii6 exchange2007 with ntlm
> > >>
> > >> Back with my windows7 test, and failed ... I dunno exactly why, 
> > but It
> > >> times
> > >> out with a "server is is unavailable".
> > >>
> > >> In my IIS httperr log I have :
> > >>
> > >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1 
> > BadRequest
> > >> DefaultAppPool
> > >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1
> > >> Connection_Dropped DefaultAppPool
> > >>
> > >> Ok with XP, not with windows7 and vista I guess
> > >>
> > >> Can you help me with this ?
> > >> Thx
> > >>
> > >> Clem
> > >>
> > >> -----Message d'origine-----
> > >> De : Clem [mailto:clemfree@xxxxxxx]
> > >> Envoyé : jeudi 22 mars 2012 21:40
> > >> À : squid-users@xxxxxxxxxxxxxxx
> > >> Objet : Re: TR: TR:  https analyze, squid rpc proxy 
> > to rpc
> > >> proxy ii6 exchange2007 with ntlm
> > >>
> > >> For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a 
> > test
> > >> client
> > >> on XP, I'll test a client on windows7.
> > >>
> > >> No config for blackberry devices, they don't use activesync but 
> > the
> > >> connection to blackberry server directly connected to our 
> > exchange.
> > >>
> > >>
> > >>
> > >> Le 22/03/2012 15:50, Clem a écrit :
> > >>> I've tested activesync with this tool
> > >>> https://store.accessmylan.com/main/diagnostic-tools , all is OK 
> > ! I
> > will
> > >> be
> > >>> able to put my front-end squid proxy for exchange 2007 in 
> > production
> > >> soon
> > >> !
> > >>>
> > >>> -----Message d'origine-----
> > >>> De : Clem [mailto:clemfree@xxxxxxx]
> > >>> Envoyé : jeudi 22 mars 2012 14:40
> > >>> À : 'Clem'; 'squid-users@xxxxxxxxxxxxxxx'
> > >>> Cc : 'Amos Jeffries'; 'squid-users@xxxxxxxxxxxxxxx'
> > >>> Objet : RE: TR:  https analyze, squid rpc proxy to 
> > rpc
> > >> proxy
> > >>> ii6 exchange2007 with ntlm
> > >>>
> > >>> Forgot the powershell command :
> > >>>
> > >>> get-outlookanywhere | set-outlookanywhere -IISauthentication
> > basic,Ntlm
> > >>>
> > >>> Infos there :
> > >>>
> > >> 
> > http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-
> > >> anywhere-
> > >>> 
> > ntlm-authentication-for-domain-based-and-workgroup-based-computers/
> > >>>
> > >>> -----Message d'origine-----
> > >>> De : Clem [mailto:clemfree@xxxxxxx]
> > >>> Envoyé : jeudi 22 mars 2012 14:32
> > >>> À : squid-users@xxxxxxxxxxxxxxx
> > >>> Cc : Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Objet : RE: TR:
> > >>>  https analyze, squid rpc proxy to rpc proxy ii6
> > >> exchange2007
> > >>> with ntlm
> > >>>
> > >>> Hello all
> > >>>
> > >>> I'm glad to inform you that's I have found a workaround solution 
> > for
> > >> outlook
> > >>> anywhere client via NTLM.
> > >>> I really didn't want to change any config of my clients outlook, 
> > who
> > are
> > >>> actually configured on NTLM auth via Outlook RPC Proxy settings.
> > >>>
> > >>> Outlook Anywhere is configured in NTLM.
> > >>>
> > >>> Recently I have found that the main problem with squid was the 
> > double
> > >> hop
> > >>> NTLM.
> > >>>
> > >>> So I though a different way :  NTLM Clients credentials ->   
> > SQUID ->
> > >> Basic
> > >>> Squid Auth ->   IIS RPC PROXY ->   NTLM client Credentials 
> > carried by
> > >> squid
> > >> ->
> > >>> Outlook Anywhere
> > >>>
> > >>> And that works !! The trick is to enable both "Integrated 
> > Windows
> > >>> Authentication" (NTLM) AND "Basic authentication" on the Rpc 
> > virtual
> > >>> directory of IIS (6 for my own).
> > >>> On Squid you have to use login:DOMAIN\user:password to send a
> > credential
> > >>> that can auth (I have used Admin one). Dunno if it's secure to 
> > use AD
> > >> admin
> > >>> user/pass directly in squid.conf ?
> > >>> Anyway that works so I'll continue to test now with that config.
> > >>>
> > >>> Now I've to test activesync with Iphone, and after with my 
> > Blackberry
> > >> Server
> > >>> Express.
> > >>>
> > >>> I can paste you some of my configurations if you need
> > >>>
> > >>> Regards
> > >>>
> > >>> Clem
> > >>>
> > >>>
> > >>>
> > >>> -----Message d'origine-----
> > >>> De : Guido Serassio [mailto:guido.serassio@xxxxxxxxxxxxxxxxx]
> > >>> Envoyé : dimanche 18 mars 2012 12:36
> > >>> À : clemfree@xxxxxxx
> > >>> Cc : Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Objet : R: TR:
> > >> 
> > >>> https analyze, squid rpc proxy to rpc proxy ii6
> > >>> exchange2007 with ntlm
> > >>>
> > >>> Hi Clem,
> > >>>
> > >>> Currently it seems that a fully working reverse Proxy Open 
> > Source
> > >> solution
> > >>> for Exchange 2007 and 2010 is not available.
> > >>>
> > >>> Squid is really near to be fully functional, but there are still 
> > some
> > >>> problems.
> > >>> Look my comments in this bug:
> > >>> http://bugs.squid-cache.org/show_bug.cgi?id=3141
> > >>>
> > >>> Currently I'm running a patched Squid 3.1.19 with http 1.1 
> > support
> > >> enabled
> > >>> in front of a Exchange 2010 Server.
> > >>> RPC over HTTPS seems to work fine, while EWS from Apple and 
> > BlackBerry
> > >>> clients is still problematic.
> > >>>
> > >>> I have tried also to use 3.2, but things seems to be worse: RPC
> > doesn't
> > >> work
> > >>> at all.
> > >>>
> > >>> Regards
> > >>>
> > >>> Guido Serassio
> > >>> Acme Consulting S.r.l.
> > >>> Microsoft Silver Certified Partner
> > >>> VMware Professional Partner
> > >>> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> > >>> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> > >>> Email: guido.serassio@xxxxxxxxxxxxxxxxx
> > >>> WWW: http://www.acmeconsulting.it
> > >>>
> > >>>
> > >>>> -----Messaggio originale-----
> > >>>> Da: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
> > >>>> Inviato: venerdì 16 marzo 2012 11.54
> > >>>> A: squid-users@xxxxxxxxxxxxxxx
> > >>>> Oggetto: Re: TR:  https analyze, squid rpc proxy 
> > to rpc
> > >>>> proxy
> > >>>> ii6 exchange2007 with ntlm
> > >>>>
> > >>>> On 14/03/2012 11:32 p.m., Clem wrote:
> > >>>>> Hello,
> > >>>>>
> > >>>>> Ok so I know exactly why squid can't forward ntlm credentials 
> > and
> > >>>>> stop
> > >>>> at
> > >>>>> type1. It's facing the double hop issue, ntlm credentials can 
> > be
> > >>>>> sent
> > >>>> only
> > >>>>> on one hop, and is lost with 2 hops like : client ->    squid 
> > (hop1)
> > >>>>> ->
> > >>>> IIS6
> > >>>>> rpx proxy (hop2) ->    exchange 2007
> > >>>>>
> > >>>>> That's why when I connect directly to my iis6 rpc proxy that 
> > works
> > >>>>> and
> > >>>> when
> > >>>>> I connect through squid that request login/pass again and 
> > again. And
> > >>>>> we
> > >>>> can
> > >>>>> clearly see that on https analyzes.
> > >>>>>
> > >>>>> ISA server has a workaround about this double hop issue as I 
> > have
> > >>>>> wrote
> > >>>> in
> > >>>>> my last mail, I don't know if squid can act like this.
> > >>>>>
> > >>>>> I'm searching atm how to set iis6 perhaps to resolve this 
> > problem,
> > >>>>> but I don't want to "break" my exchange so I've to do my tests 
> > very
> > >>>>> carefully
> > >>>> Cheers. I've added a mention of this to the NTLM issiues wiki 
> > page
> > now
> > >>>> for others to find along with the archive of these messages.
> > >>>>
> > >>>> Amos
> > >