Re: [squid-users] NTLM and transparent/interception confusion

2009-01-03 Thread Guido Serassio 

Hi Kinkie,

At 18.45 02/01/2009, Kinkie wrote:

Could you try to get a network trace of a successfully authenticated
http transaction?
I would love to see how they do it...


Websense too is using something similar for filtering:

They maintain an IP Address/Username table on the policy server. The 
table can be populated using different ways:

- A logon agent, a little executable running on every client at logon time
- Direct query to the user workstation
- A DC agent that query DCs for user sessions

There isn't any kind of web browser authentication, and this solution 
cannot work with non Windows clients or machine non domain member.
Multiuser terminal server environments cannot be supported and the WS 
policy server should be Windows based and domain member for full functionality.


Regards

Guido


Thanks!

On 1/2/09, Johnson, S sjohn...@edina.k12.mn.us wrote:
 That's too bad...  I've set up numerous Bluecoat proxies and they do
 have this capability.  But of course, you're paying about $50k usd /
 box.

 -Original Message-
 From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it]
 Sent: Thursday, January 01, 2009 4:00 AM
 To: Johnson, S; squid-users@squid-cache.org
 Subject: Re: [squid-users] NTLM and transparent/interception confusion

 Hi,

 At 20.06 31/12/2008, Johnson, S wrote:
I've been doing a lot of reading on this...  I've got the proxy working
in either of these two modes:
1) As a browser configuration proxy
2) with http_port 3128 transparent, in redirected mode

I've got NTLM authentication working just fine with #1 above.  However,
with #2 I never get a password prompt.  I don't really care about
transparency; I just want to authenticate users that are outbound
without having to configure their browser.

I asked this question a couple of months back and there are people
stating that they are doing the authentication with transparent mode.
Some of the references I've found in my searches also seem to
corroborate the possibility of this working (but it's not working for
me).  However, in the documentation it seems that this should not be
possible.  Am I barking up the wrong tree or is this truly possible?

 You cannot.

 Youa are mixing two very different and incompatible things:

 - Transparent/intercepting proxy
 - NTLM transparent (silent) authentication, also known as Windows
 integrated authentication
 http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe
 0e21e5c2903473c473d401533ac7

 Regards and happy New Year

 Guido



 -
 
 Guido Serassio
 Acme Consulting S.r.l. - Microsoft Certified Partner
 Via Lucia Savarino, 1   10098 - Rivoli (TO) - ITALY
 Tel. : +39.011.9530135  Fax. : +39.011.9781115
 Email: guido.seras...@acmeconsulting.it
 WWW: http://www.acmeconsulting.it/


 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.




--
/kinkie



-

Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1   10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: guido.seras...@acmeconsulting.it
WWW: http://www.acmeconsulting.it/

[squid-users] How do i update

2009-01-03 Thread Tarak Ranjan 
Hi List,
i have as running SQUID 2.6.STABLE6 , and i want to
update to  SQUID 3.0 STABLE11 for SSL bump.

Is it possible to do the upgrade ?

/\
Tarak




  Add more friends to your messenger and enjoy! Go to 
http://messenger.yahoo.com/invite/

[squid-users] 回复: [squid-users] How do i update

2009-01-03 Thread yonghua 
Sure it's possible.
The main configure file between 2.6 and 3.0 are almost the same.

--
yonghua peng
http://home.arcor.de/pangj/


--- 09年1月3日,周六, Tarak Ranjan contact...@yahoo.co.in 写道:

 发件人: Tarak Ranjan contact...@yahoo.co.in
 主题: [squid-users] How do i update
 收件人: Squid squid-users@squid-cache.org
 日期: 2009,13,周六,8:12下午
 Hi List,
 i have as running SQUID 2.6.STABLE6 , and i want to
 update to  SQUID 3.0 STABLE11 for SSL bump.
 
 Is it possible to do the upgrade ?

Re: [squid-users] NTLM and transparent/interception confusion

2009-01-03 Thread Kinkie 
On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio
guido.seras...@acmeconsulting.it wrote:
 Hi Kinkie,

 At 18.45 02/01/2009, Kinkie wrote:

 Could you try to get a network trace of a successfully authenticated
 http transaction?
 I would love to see how they do it...

 Websense too is using something similar for filtering:

 They maintain an IP Address/Username table on the policy server. The table
 can be populated using different ways:
 - A logon agent, a little executable running on every client at logon time
 - Direct query to the user workstation
 - A DC agent that query DCs for user sessions
 There isn't any kind of web browser authentication, and this solution cannot
 work with non Windows clients or machine non domain member.
 Multiuser terminal server environments cannot be supported and the WS policy
 server should be Windows based and domain member for full functionality.


Yuck...
IIRC Squid's session helper can do that too then.
This is NOT authentication and it's absolutely insecure: even windows
nowadays supports remote desktops (3 users can share one IP) and SNAT
(connection sharing), and it's pretty easy to hijack an user's
credentials (simply log on to his workstation as soon as possible
after he's logged out).

an nmblookup-based external authentication helper could be set up to
do one of these, but after all what's the point? If the user has a
proper Windows infrasctructure, it's much easier to use group policies
to configure the browsers..

Thanks for the clarification Guido!

-- 
/kinkie