Hi Amos, Administrateur is the french AD name for Administrator :) -> Also, originserver is a bit magic. login= + originserver will erase *www-auth* headers as well and place Basic auth credentials in the www-auth (origin server auth) header. I'm ok with that, cause I want squid to auth in basic at first ! -> This is a confusing definition for the ACL *name* "0.0.0.0". IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address) ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0 Thanks for the info, I've modified my cfg. But I still have the issue with Windows7, TCP miss 200 on logs, and "server is unavailable" with outlook, whereas with XP that works. Regards Clem -----Message d'origine----- De : Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Envoyé : mardi 27 mars 2012 04:02 À : squid-users@xxxxxxxxxxxxxxx Objet : RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 27.03.2012 01:31, Clem wrote: > Hi Guido, > > I’ve installed last released of 3.1.19 (squid-3.1.19-20120325-r10444), > and I’ve the same error when connecting with windows7, server is > unaivalable, the difference is I don’t have badrequest and > Connection_Dropped DefaultAppPool in IIS6 httperr log. > > The only thing I can see in the logs is TCP MISS 200, in squid and > IIS. > > With XP clients, that works … > > Here is my squid.conf : > > -----------------------------------------> > > visible_hostname external_mail_url > ignore_expect_100 on > request_header_access Accept-Encoding deny all debug_options ALL,1 > https_port ip_of_squid:443 accel > cert=/usr/local/squid/etc/certifs/cert.pem > cafile=/usr/local/squid/etc/certifs/ca_cert.pem \ defaultsite= > external_mail_url cache_peer ip_of_exchange parent 443 0 no-query > proxy-only name=owaserver originserver \ ssl sslflags=DONT_VERIFY_PEER > login=DOMAIN\Administrateur:adminpassword \ Is this actually "Administrateur"? or typo of the US-centric "Administrator"? Also, originserver is a bit magic. login= + originserver will erase *www-auth* headers as well and place Basic auth credentials in the www-auth (origin server auth) header. > sslcert=/usr/local/squid/etc/certifs/cert.pem > sslcafile=/usr/local/squid/etc/certifs/ca_cert.pem > acl 0.0.0.0 src all This is a confusing definition for the ACL *name* "0.0.0.0". IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address) ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0 > acl owa dstdomain external_mail_url > cache_peer_access owaserver allow owa > never_direct allow owa > http_access allow owa > http_access deny all > miss_access allow owa > miss_access deny all > > -----------------------------------------> > > On exchange, outlook anywhere (rpcproxy) is on basic and ntlm for IIS > auth, for client auth, only ntlm. With XP, squid auth in basic then > client auth in ntlm, and that works. In windows7, after a long time > I’ve got this issue : > server is unaivalable. > > I don’t know what’s happening, I think perhaps it’s a http1.1 or 1.2 > issue. > > Thanks, > > Clem > > -------- Message original -------- > Sujet: > R: R: TR: TR: https analyze, squid rpc proxy to rpc > proxy ii6 > exchange2007 with ntlm > Date : > Sun, 25 Mar 2012 17:28:25 +0000 > De : > Guido Serassio <guido.serassio@xxxxxxxxxxxxxxxxx> > Pour : > Clem <clemfree@xxxxxxx> > > Hi, > > Don't forget to apply the changes listed in this discussion: > http://www.squid-cache.org/mail-archive/squid-dev/201101/0124.html > > Regards > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Silver Certified Partner > VMware Professional Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. > : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.serassio@xxxxxxxxxxxxxxxxx > WWW: http://www.acmeconsulting.it > > >> -----Messaggio originale----- >> Da: Clem [mailto:clemfree@xxxxxxx] >> Inviato: domenica 25 marzo 2012 15.33 >> A: Guido Serassio >> Oggetto: Re: R: TR: TR: https analyze, squid rpc proxy >> to rpc proxy ii6 exchange2007 with ntlm >> >> Hi Guido ! >> >> Thank you very much for your answer ! I'me using 3.2.0.16, I'll test >> with 3.1.19 then ! >> >> Have a good day >> >> Clem >> >> Le 25/03/2012 14:19, Guido Serassio a écrit : >> > Hi Clem, >> > >> > I hav already verified that Windows Vista and 7 talks differently >> to >> Exchange. >> > The patched 3.1.19 build fixed my problem, and also Mac EWS >> clients >> seems to almost work. >> > I'm waiting for 3.2 STABLE before run new tests on it. >> > >> > Regards >> > >> > Guido Serassio >> > Acme Consulting S.r.l. >> > Microsoft Silver Certified Partner >> > VMware Professional Partner >> > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY >> > Tel. : +39.011.9530135 Fax. : +39.011.9781115 >> > Email: guido.serassio@xxxxxxxxxxxxxxxxx >> > WWW: http://www.acmeconsulting.it >> > >> > >> >> -----Messaggio originale----- >> >> Da: Clem [mailto:clemfree@xxxxxxx] >> >> Inviato: venerdì 23 marzo 2012 15.48 >> >> A: squid-users@xxxxxxxxxxxxxxx >> >> Oggetto: RE: TR: TR: https analyze, squid rpc proxy >> to >> rpc >> >> proxy ii6 exchange2007 with ntlm >> >> >> >> Back with my windows7 test, and failed ... I dunno exactly why, >> but It >> >> times >> >> out with a "server is is unavailable". >> >> >> >> In my IIS httperr log I have : >> >> >> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1 >> BadRequest >> >> DefaultAppPool >> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1 >> >> Connection_Dropped DefaultAppPool >> >> >> >> Ok with XP, not with windows7 and vista I guess >> >> >> >> Can you help me with this ? >> >> Thx >> >> >> >> Clem >> >> >> >> -----Message d'origine----- >> >> De : Clem [mailto:clemfree@xxxxxxx] Envoyé : jeudi 22 mars 2012 >> >> 21:40 À : squid-users@xxxxxxxxxxxxxxx Objet : Re: TR: TR: >> >> https analyze, squid rpc proxy >> to rpc >> >> proxy ii6 exchange2007 with ntlm >> >> >> >> For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a >> test >> >> client >> >> on XP, I'll test a client on windows7. >> >> >> >> No config for blackberry devices, they don't use activesync but >> the >> >> connection to blackberry server directly connected to our >> exchange. >> >> >> >> >> >> >> >> Le 22/03/2012 15:50, Clem a écrit : >> >>> I've tested activesync with this tool >> >>> https://store.accessmylan.com/main/diagnostic-tools , all is OK >> ! I >> will >> >> be >> >>> able to put my front-end squid proxy for exchange 2007 in >> production >> >> soon >> >> ! >> >>> >> >>> -----Message d'origine----- >> >>> De : Clem [mailto:clemfree@xxxxxxx] Envoyé : jeudi 22 mars 2012 >> >>> 14:40 À : 'Clem'; 'squid-users@xxxxxxxxxxxxxxx' >> >>> Cc : 'Amos Jeffries'; 'squid-users@xxxxxxxxxxxxxxx' >> >>> Objet : RE: TR: https analyze, squid rpc proxy to >> rpc >> >> proxy >> >>> ii6 exchange2007 with ntlm >> >>> >> >>> Forgot the powershell command : >> >>> >> >>> get-outlookanywhere | set-outlookanywhere -IISauthentication >> basic,Ntlm >> >>> >> >>> Infos there : >> >>> >> >> >> http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook- >> >> anywhere- >> >>> >> ntlm-authentication-for-domain-based-and-workgroup-based-computers/ >> >>> >> >>> -----Message d'origine----- >> >>> De : Clem [mailto:clemfree@xxxxxxx] Envoyé : jeudi 22 mars 2012 >> >>> 14:32 À : squid-users@xxxxxxxxxxxxxxx Cc : Amos Jeffries; >> >>> squid-users@xxxxxxxxxxxxxxx Objet : RE: TR: >> >>> https analyze, squid rpc proxy to rpc proxy ii6 >> >> exchange2007 >> >>> with ntlm >> >>> >> >>> Hello all >> >>> >> >>> I'm glad to inform you that's I have found a workaround solution >> for >> >> outlook >> >>> anywhere client via NTLM. >> >>> I really didn't want to change any config of my clients outlook, >> who >> are >> >>> actually configured on NTLM auth via Outlook RPC Proxy settings. >> >>> >> >>> Outlook Anywhere is configured in NTLM. >> >>> >> >>> Recently I have found that the main problem with squid was the >> double >> >> hop >> >>> NTLM. >> >>> >> >>> So I though a different way : NTLM Clients credentials -> >> SQUID -> >> >> Basic >> >>> Squid Auth -> IIS RPC PROXY -> NTLM client Credentials >> carried by >> >> squid >> >> -> >> >>> Outlook Anywhere >> >>> >> >>> And that works !! The trick is to enable both "Integrated >> Windows >> >>> Authentication" (NTLM) AND "Basic authentication" on the Rpc >> virtual >> >>> directory of IIS (6 for my own). >> >>> On Squid you have to use login:DOMAIN\user:password to send a >> credential >> >>> that can auth (I have used Admin one). Dunno if it's secure to >> use AD >> >> admin >> >>> user/pass directly in squid.conf ? >> >>> Anyway that works so I'll continue to test now with that config. >> >>> >> >>> Now I've to test activesync with Iphone, and after with my >> Blackberry >> >> Server >> >>> Express. >> >>> >> >>> I can paste you some of my configurations if you need >> >>> >> >>> Regards >> >>> >> >>> Clem >> >>> >> >>> >> >>> >> >>> -----Message d'origine----- >> >>> De : Guido Serassio [mailto:guido.serassio@xxxxxxxxxxxxxxxxx] >> >>> Envoyé : dimanche 18 mars 2012 12:36 À : clemfree@xxxxxxx Cc : >> >>> Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Objet : R: TR: >> >> >> >>> https analyze, squid rpc proxy to rpc proxy ii6 >> >>> exchange2007 with ntlm >> >>> >> >>> Hi Clem, >> >>> >> >>> Currently it seems that a fully working reverse Proxy Open >> Source >> >> solution >> >>> for Exchange 2007 and 2010 is not available. >> >>> >> >>> Squid is really near to be fully functional, but there are still >> some >> >>> problems. >> >>> Look my comments in this bug: >> >>> http://bugs.squid-cache.org/show_bug.cgi?id=3141 >> >>> >> >>> Currently I'm running a patched Squid 3.1.19 with http 1.1 >> support >> >> enabled >> >>> in front of a Exchange 2010 Server. >> >>> RPC over HTTPS seems to work fine, while EWS from Apple and >> BlackBerry >> >>> clients is still problematic. >> >>> >> >>> I have tried also to use 3.2, but things seems to be worse: RPC >> doesn't >> >> work >> >>> at all. >> >>> >> >>> Regards >> >>> >> >>> Guido Serassio >> >>> Acme Consulting S.r.l. >> >>> Microsoft Silver Certified Partner VMware Professional Partner >> >>> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY >> >>> Tel. : +39.011.9530135 Fax. : +39.011.9781115 >> >>> Email: guido.serassio@xxxxxxxxxxxxxxxxx >> >>> WWW: http://www.acmeconsulting.it >> >>> >> >>> >> >>>> -----Messaggio originale----- >> >>>> Da: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] >> >>>> Inviato: venerdì 16 marzo 2012 11.54 >> >>>> A: squid-users@xxxxxxxxxxxxxxx >> >>>> Oggetto: Re: TR: https analyze, squid rpc proxy >> to rpc >> >>>> proxy >> >>>> ii6 exchange2007 with ntlm >> >>>> >> >>>> On 14/03/2012 11:32 p.m., Clem wrote: >> >>>>> Hello, >> >>>>> >> >>>>> Ok so I know exactly why squid can't forward ntlm credentials >> and >> >>>>> stop >> >>>> at >> >>>>> type1. It's facing the double hop issue, ntlm credentials can >> be >> >>>>> sent >> >>>> only >> >>>>> on one hop, and is lost with 2 hops like : client -> squid >> (hop1) >> >>>>> -> >> >>>> IIS6 >> >>>>> rpx proxy (hop2) -> exchange 2007 >> >>>>> >> >>>>> That's why when I connect directly to my iis6 rpc proxy that >> works >> >>>>> and >> >>>> when >> >>>>> I connect through squid that request login/pass again and >> again. And >> >>>>> we >> >>>> can >> >>>>> clearly see that on https analyzes. >> >>>>> >> >>>>> ISA server has a workaround about this double hop issue as I >> have >> >>>>> wrote >> >>>> in >> >>>>> my last mail, I don't know if squid can act like this. >> >>>>> >> >>>>> I'm searching atm how to set iis6 perhaps to resolve this >> problem, >> >>>>> but I don't want to "break" my exchange so I've to do my tests >> very >> >>>>> carefully >> >>>> Cheers. I've added a mention of this to the NTLM issiues wiki >> page >> now >> >>>> for others to find along with the archive of these messages. >> >>>> >> >>>> Amos >> >
