RE: [squid-users] Squid Proxy

From: Clem <clemfree_at_free.fr>
Date: Wed, 18 Apr 2012 09:30:45 +0200

Hello,

Squid can't handle ntlm to ntlm exchange 2007, this is the double hop issue,
I've found a workaround that is telling to squid to auth in basic then
client auth in ntlm, we have to modify exchange IISAuthentication to accept
both ntlm and basic, that works, but only with XP clients. For windows7
clients we have to use a lm or ntlm for lanmanserver level configuration on
security policies :

http://www.sevenforums.com/attachments/network-sharing/99233d1285088277-home
group-problem-lanmanserver-lanman-security-options.png

And you have to disable msstd option in Outlook :

http://2.bp.blogspot.com/_1_AwklpKUEc/SUmbOkOURDI/AAAAAAAAAVk/aoHPPaVVesI/s4
00/msstd.JPG

Else outlook anywhere via squid and ntlm will not work on Windows7 clients.

You can follow my thoughs over this topic subject : https analyze, squid rpc
proxy to rpc proxy ii6 exchange2007 with ntlm

I'm still searching for a solution ... Cause I've some external clients with
laptops (W7) and I don't want to manually configure them, I want my squid
Exchange frontal project to be whole transparent for my clients.

Regards

Clem

-----Message d'origine-----
De : Commandeur, Ed [mailto:Ed.Commandeur_at_akn.nl]
Envoyé : mercredi 18 avril 2012 07:46
Ā : 'squid-users_at_squid-cache.org'
Objet : [squid-users] Squid Proxy

Hello,

I'm really stuck at the moment using the Squid reverse proxy. I've seen on =
the website a config for exchange rpc over HTTPs and I've set those setting=
s using my own environment.

The reverse proxy works with owa and all the other exchange application exc=
ept for RPC over HTTPS. It seems to be that the NTLM negotiating isn't forw=
arded to our mailserver.

Here's my squid config

acl httptohttps myport 80
http_access deny httptohttps
deny_info https://<owa url>/ httptohttps

# extensions for Exchange RPC over HTTPS extension_methods RPC_IN_DATA
RPC_OUT_DATA

# Publish the RPCoHTTP service via SSL
https_port <server ip>:443 accel cert=3Dc:/squid/etc/ssl/<wildcardcert>.crt=
 key=3Dc:/squid/etc/ssl/<wildcardcert>.key defaultsite=3D<owa url>

cache_peer <mailserver ip> parent 443 0 no-query originserver login=3DPASS =
ssl sslflags=3DDONT_VERIFY_PEER sslcert=3Dc:/squid/etc/ssl/<wildcardcert>.c=
rt sslkey=3Dc:/squid/etc/ssl/<wildcardcert>.key name=3DexchangeServer

access_log c:/squid/var/logs/access.log

acl EXCH dstdomain <owa url>
acl all src 0.0.0.0/0.0.0.0

cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer
deny all never_direct allow EXCH

# Lock down access to just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all

I'm running the 2.7Stable8 version on a Windows 2008R2 SP1 server.

I get the following error in the access log when I try to open just the web=
page to the RPC site

<my ip> TCP_DENIED/401 1733 GET https://<owa url>/rpc - NONE/- text/html

Someone got any idea?

With kind regards,

Ed Commandeur
information & media technology
systemadministrator
email: ed.commandeur_at_akn.nl
Site: http://www.akn.nl
Received on Wed Apr 18 2012 - 07:30:53 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 18 2012 - 12:00:03 MDT