On 27/03/2013 7:02 a.m., Damir Reic wrote:
I can't find thorough info about what is implemented in squid 3 so i would like to know is this implemented: 1) Sharepoint from outside with squid proxy acting as http proxy with NTLM support
This is very unlikely to work. ... NTLM auth proper name is "LAN Manager authentication" - this is authentication for *LAN* management. Using it over the Internet varies from erratic success/fail to complete failure. Squid requires some horribly nasty hacks which greatly reduce the performance just to relay NTLM traffic around the LAN. Requiring every network admin in the world to also compromise good performance in order to let your Sharepoint traffic pass through them is not realistic - you will always encounter networks which require high HTTP performance.
... the best thing you can do is to upgrade to Negotiate/Kerberos instead of wasting time trying to get NTLM working on the WAN. It still requires some performance reduction, but not nearly as many high-impact problems as NTLM.
2) Outlook anywhere - RPC over HTTPS with NTLM auth
#1 RPC is a protocol using HTTP message structure and ports. It is not explicitly implemented by Squid but since it uses HTTP messaging structure Squid handles it as HTTP.
However that is dependent on exactly which "squid 3" version you are talking about. HTTP/1.1 feature support has been progressivley added from Squid-2.6 onwards and finally achieved sufficient feature capabilities for 3.2+ to advertise themselves as HTTP/1.1 enabled. The impact of this on RPC behaviour has at times been problematic as RPC services required features not presented by older Squid or failed to properly support features required by HTTP/1.1 used by Squid.
For instance, recent Sharepoint software versions have been found to *assume* and *require* that all proxies in existence support HTTP/1.1 features which are not supported by the common Squid-3.1 and older installations.
#2 NTLM auth does *not* play nicely with HTTP. It's replacement Negotiate plays a lot nicer but still violates several critical HTTP requirements. They are supported in HTTP proxies like Squid by use of code hacks which break HTTP behaviour. As we have improved the code and tried to make Squid follow correct HTTP behaviour properly sometimes the HTTP changes have broken these auth and required re-fixing the code doing those hacks.
Sorry for the rant-like text, but that is the situation. If possible please use the latest Squid-3 release for best behaviour. It almost completely works for both NTLM and Negotiate with the currently popular Sharepoint versions. (There is one more fix in QA right now for both Negotiate and NTLM, and I can't speak for any future discoveries).
3) Can i use multiple SSL certificates for proxy like i can do in apache?
How do you do it in Apache? what version of Apache? what version of Squid? can you change your version of Squid if it is too old? - these are critical information which you have omitted.
Amos
