[squid-users] RPC over HTTPS with NTLM in pretty weird setup
Hi, We are migrating to Exchange from another Exchange-like product, and I still struggle with NTLM authentication for the remote users with Outlook (RCP over HTTPS). The setup is: - Firewall with Squid 2.6.18-1ubuntu3 (manually compiled to enable SSL) - Exchange in the LAN - Exchange-like product on the firewall, using Apache2 (still in production) I found some examples on the net to proxy certain URL's to the local Apache and all other to Exchange. For laptops, this setup works when I use Basic authentication, but that creates annoying password prompts when the laptop user is in the LAN. Squid.conf: visible_hostname mail.company.com persistent_connection_after_error on ### # Exchange 2010 # extensions for Exchange RPC over HTTPS extension_methods RPC_IN_DATA RPC_OUT_DATA # We listen on 195.xxx.xxx.xxx, our primary line # mail.company.com.crt is an official certificate https_port 195.xxx.xxx.xxx:443 cert=/etc/ssl/keys/mail.company.com.crt key=/etc/ssl/keys/mail.company.com.pem defaultsite=mail.company.com # We also listen on 212.xxx.xxx.xxx, a 2nd line for testing ActiveSync on Exchange # 212.xxx.xxx.xxx.crt is a self generated certificate https_port 212.xxx.xxx.xxx:443 cert=/etc/ssl/keys/212.xxx.xxx.xxx.crt key=/etc/ssl/keys/212.xxx.xxx.xxx.pem defaultsite=212.xxx.xxx.xxx # localhost has Apache running, 192.168.xxx.xxx is the Exchange Server cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/ssl/keys/mail.company.com.pem sslkey=/etc/ssl/keys/mail.company.com.pem name=webServer cache_peer 192.168.xxx.xxx parent 443 0 proxy-only no-query no-digest originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER name=exchangeServer # Send the ActiveSync on the main line to the local Apache for the Exchange-like product, which is still in use acl web_url url_regex -i mail.company.com/Microsoft-Server-ActiveSync # Send the webserver URLs to the webserver cache_peer_access webServer allow web_url # Send everything else to the Exchange server cache_peer_access exchangeServer deny web_url # This is to protect ourselves never_direct allow web_url # settings caching and logging redirect_rewrites_host_header off cache_mem 32 MB maximum_object_size_in_memory 128 KB cache_log none cache_store_log none debug_options ALL, 8 access_log /var/log/squid/access.log squid ### # ACL - required to allow acl all src 0.0.0.0/0.0.0.0 http_access allow all miss_access allow all So far this setup works for ActiveSync via the 2nd line. Outlook Anywhere (RPC over HTTPS) only gives me this is access.log: 1265109372.999 23 10.11.11.149 TCP_MISS/401 430 RPC_IN_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html 1265109372.999 20 10.11.11.149 TCP_MISS/401 430 RPC_OUT_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html Any thoughts on this setup? How to fix NTLM auth for laptop users? Thanks, Toni Van Remortel
[squid-users] RPC Over HTTPS
Hi All, I have successfully configured reverse proxy, But have issue with RCP over https Testing my setup with the following link https://www.testexchangeconnectivity.com/ have the below error Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server hubsexchange.airarabiauae.com Failed to ping Endpoint Additional Details An RPC Error was thrown by the RPC Runtime. Error 1818 1818 What could be the problem? squid -v == Squid Cache: Version 2.7.STABLE6 configure options: '--host=x86_64-redhat-linux-gnu' '--build=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--enable-linux-tproxy' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-digest-auth-helpers=password' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests' '--enable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-x-accelerator-vary' '--enable-xmalloc-statistics' '--enable-icmp' '--enable-kill-parent-hack' '--enable-arp-acl' '--enable-default-err-language=English' '--enable-err-languages=English' '--disable-http-violations' '--enable-large-cache-files' '--with-dl' '--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -m64 -mtune=generic' 'LDFLAGS=-pie' == squid.conf as below = acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 10.200.8.20 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl PURGE method PURGE acl localnet src 10.200.2.0/24 acl snmppublic snmp_community public acl OWA dstdomain mail.airarabia.ae http_access allow manager localhost http_access deny manager http_access allow localhost PURGE http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow OWA all http_access allow localnet http_access allow localhost http_access deny all icp_access allow localnet icp_access deny all miss_access allow OWA reply_body_max_size 52428800 allow all follow_x_forwarded_for allow localnet follow_x_forwarded_for allow localhost follow_x_forwarded_for deny all acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on ssl_unclean_shutdown on sslproxy_flags DONT_VERIFY_PEER http_port 8080 http_port 10.200.8.20:80 accel defaultsite=mail.airarabia.ae vhost https_port 10.200.8.20:443 accel \ cert=/etc/squid/keys/airarabia_key.pem \ key=/etc/squid/keys/airarabia_key.pem defaultsite=mail.airarabia.ae cache_peer proxy1.emirates.net.ae parent 8080 0 no-query default cache_peer mail.airarabia.ae parent 443 0 no-query \ originserver front-end-https=on login=PASS name=owaServer \ ssl sslcert=/etc/squid/keys/airarabia_crt.pem \ sslkey=/etc/squid/keys/airarabia_key.pem sslflags=DONT_VERIFY_PEER cache_peer_access owaServer allow OWA cache_peer_access proxy1.emirates.net.ae allow !OWA hierarchy_stoplist cgi-bin ? cache_mem 600 MB maximum_object_size_in_memory 20 KB memory_replacement_policy heap GDSF cache_replacement_policy heap GDSF cache_dir aufs /cache 29000 16 256 store_dir_select_algorithm least-load max_open_disk_fds 0 minimum_object_size 0 KB maximum_object_size 1096 MB cache_swap_low 90 cache_swap_high 95 logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %a %Ss %03Hs % mail_from Rusol mail_program mail cache_effective_user squid cache_effective_group squid httpd_suppress_version_string on v
Re: [squid-users] RPC over HTTPS for Terminal Services Gateway
Hi, At 10.23 24/11/2008, Andreas Adler wrote: Hi there I am running Squid 3.0 PRE6 as a reverse proxy for many applications and services. RPC over HTTPS for Exchange/OWA is running fine for a long time. Recently I tried to pass the TS Gateway through Squid, but this is giving me a very hard time. TS Gateway is using RPC over HTTPS just like Exchange does, but I always get an authentication error. Here is what I get: -- TCP_MISS/401 399 RPC_IN_DATA https://server.domain.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/server.domain.com text/plain -- Here is my access rule: cache_peer server.domain.com parent 443 0 proxy-only no-query originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER Does anybody run a Terminal Services Gateway (TS Gateway) being proxied through squid? Could there be something wrong with some NTLM passthrough? I am pretty clueless on this, so any help is very appreciated! I never tested TS Gateway on Squid, but usually Exchange RPC over HTTPS works better using Basic authentication over SSL. Another thing to verify is the Reverse Proxy SSL certificate: using self signed certificates for Echange RPC over HTTPS, Outlook fails silently if the CA is not trusted. Regards Guido Thanks a lot! Andreas Adler - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] RPC over HTTPS for Terminal Services Gateway
Hi there I am running Squid 3.0 PRE6 as a reverse proxy for many applications and services. RPC over HTTPS for Exchange/OWA is running fine for a long time. Recently I tried to pass the TS Gateway through Squid, but this is giving me a very hard time. TS Gateway is using RPC over HTTPS just like Exchange does, but I always get an authentication error. Here is what I get: -- TCP_MISS/401 399 RPC_IN_DATA https://server.domain.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/server.domain.com text/plain -- Here is my access rule: cache_peer server.domain.com parent 443 0 proxy-only no-query originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER Does anybody run a Terminal Services Gateway (TS Gateway) being proxied through squid? Could there be something wrong with some NTLM passthrough? I am pretty clueless on this, so any help is very appreciated! Thanks a lot! Andreas Adler
Re: [squid-users] RPC over HTTPS
On Thu, Sep 27, 2007, Washington Odhiambo wrote: > Hello there > > If you guys get a working solution for this RPC over HTTP(S) thing, > I'd be most grateful if you share the whole details of how you did it. > > Please CC me at least. http://wiki.squid-cache.org/ConfigExamples/ Adrian
Re: [squid-users] RPC over HTTPS
Hello there If you guys get a working solution for this RPC over HTTP(S) thing, I'd be most grateful if you share the whole details of how you did it. Please CC me at least. TIA ./Wash
Re: [squid-users] RPC over HTTPS
On tor, 2007-09-20 at 00:03 +0100, Gordon McKee wrote: > Hi > > I have used the ca-bundle.crt file and a cafile= in the https_port section > and I still get the followng error: It's cache_peer you need to give the CA information to. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
Hi I have used the ca-bundle.crt file and a cafile= in the https_port section and I still get the followng error: 2007/09/19 23:58:49| Detected DEAD Parent: opls 2007/09/19 23:58:49| SSL unknown certificate error 20 in /C=GB/ST=West Midlands/L=Solihull/O=Optimal Profit Ltd/OU=StartCom Free Certificate Member/OU=Domain validated only/CN=www.opti***fit.com/emailAddress=ckee.com 2007/09/19 23:58:49| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) 2007/09/19 23:58:49| TCP connection to 192.168.0.11/443 failed Sorry to be a pain - but the certificate file is an export of the on in iis and the ca-bundle file is all the inter ca's and I appended the root ca at the top for good measure and stil no luck? How can I get a certificate to validate mine? Many thanks Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, September 19, 2007 7:06 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
On ons, 2007-09-19 at 16:17 +0100, Gordon McKee wrote: > Hi > > I have changes the https_port line to: > > https_port 82.36.186.17:443 cert=/usr/local/etc/squid/opl20070919.pem > capath=/etc/ssl/certs defaultsite=www.optimalprofit.com > > and out all the certificates in /etc/ssl/certs and it still doesn not work. > Is there a simple how to on how to get these certificates to work? capath needs a OpenSSL certificate directory. This has a bit special format. Easier to use cafile which is just a single file with all the relevant certificates in it, one after the other.. The effect is pretty much the same. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
Hi I have changes the https_port line to: https_port 82.36.186.17:443 cert=/usr/local/etc/squid/opl20070919.pem capath=/etc/ssl/certs defaultsite=www.optimalprofit.com and out all the certificates in /etc/ssl/certs and it still doesn not work. Is there a simple how to on how to get these certificates to work? Many thanks for all your help. Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, September 18, 2007 8:42 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
Hi Thanks for the info - it all makes sence!! I have got the Root and Inter CA files from the certificate vendor. Link here: http://cert.startcom.org/?lang=en&app=110 and downloaded the pem for the root ca and the bundle file and none of the seem to work. I also tried my cert file to see if it would self sign - a long shot, and it didn't work. Would the easiest way be to add the Root CA and Inter Ca's intoo the certificate store on the FreeBSD box? Or, do I have to conver the CA certs to another format (but they are in pem format)? Many thanks Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, September 18, 2007 8:42 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
On tis, 2007-09-18 at 20:31 +0100, Gordon McKee wrote: > 19: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed (1/-1/0) Your Squid is not trusting the CA that has issued the server certificate of the web server. As you have already exported the certificate the easiest "fix" is to specify cafile=/path/to/certificate.pem, and will work until the certificate is renewed.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
On tis, 2007-09-18 at 17:38 +0100, Gordon McKee wrote: > After a bit debug switching on, I have found out that squid is not passing > https traffic correctly. Or your server is not accepting it from an https frontend... > Would a cache_peer 443 entry work and drop the auto frontend? Most likely. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
Hi I have switched off http in on port 80 to make sure https reverse proxy is working. This must be the problem!! I have exported the certificate from iis and used the instructions below: http://www.petefreitag.com/item/16.cfm Now I get : 2007/09/18 20:21:51| Detected DEAD Parent: opls 2007/09/18 20:21:51| SSL unknown certificate error 20 in /C=GB/ST=West Midlands/L=Solihull/O=Optimal Profit Ltd/OU=StartCom Free Certificate Member/OU=Domain validated only/CN=www.optimalprofit.com/[EMAIL PROTECTED] 2007/09/18 20:21:51| fwdNegotiateSSL: Error negotiating SSL connection on FD 19: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) 2007/09/18 20:21:51| TCP connection to 192.168.0.11/443 failed 2007/09/18 20:23:31| Detected REVIVED Parent: opls Has anyone got any ideas how to get the certificates talking to each other? Many thanks Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, September 18, 2007 4:30 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
On tis, 2007-09-18 at 10:00 +0100, Gordon McKee wrote: > When I try to connect in I get the following error: > > 2007/09/18 09:35:38| httpReadReply: Request not yet fully sent "RPC_IN_DATA > https://www.optimalprofit.com/rpc/rpcproxy.dll?nt-opro-h3.gdmckee.home:6002"; This message is seen if the response is sent by the server before the POST:ed data has been transmitted.. A guess is that the server don't like you, or that you are forwarding the request to the wrong server... What do access.log say? Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] RPC over HTTPS
Hi I have got the vast majority of this working reading the FAQ etc. I have set this up on RPC over HTTP SBS 2003 boxes so am confident that the exchange server is setup correctly. When I try to connect in I get the following error: 2007/09/18 09:35:38| httpReadReply: Request not yet fully sent "RPC_IN_DATA https://www.optimalprofit.com/rpc/rpcproxy.dll?nt-opro-h3.gdmckee.home:6002"; 2007/09/18 09:35:38| httpReadReply: Request not yet fully sent "RPC_OUT_DATA https://www.optimalprofit.com/rpc/rpcproxy.dll?nt-opro-h3.gdmckee.home:6002"; Does any one know how to resolve this? Squid.con look as follows: http_port proxy.gdmckee.home:3128 http_port 82..17:80 vhost vport https_port 443 cert=/usr/local/etc/squid/op7.crt key=/usr/local/etc/squid/pre.key cafile=/usr/local/etc/squid/crt.crt defaultsite=www.optimalprofit.com ### Optimal Profit cache_peer 192.168.0.11parent80 0 no-query originserver login=PASS name=opl front-end-https=auto cache_peer_domain opl www.optimalprofit.com acl hosted_domains dstdomain .optimalprofit.com http_access allow hosted_domains http_access allow our_networks extension_methods RPC_IN_DATA RPC_OUT_DATA Here is the output when squid start: 2007/09/16 17:15:18| Reconfiguring Squid Cache (version 2.6.STABLE14)... 2007/09/16 17:15:18| FD 9 Closing HTTP connection 2007/09/16 17:15:18| FD 11 Closing HTTP connection 2007/09/16 17:15:18| FD 12 Closing HTTP connection 2007/09/16 17:15:18| FD 13 Closing ICP connection 2007/09/16 17:15:18| FD 14 Closing HTCP socket 2007/09/16 17:15:18| Initialising SSL. 2007/09/16 17:15:18| Using certificate in /usr/local/etc/squid/op*7.crt 2007/09/16 17:15:18| Using private key in /usr/local/etc/squid/p*.key 2007/09/16 17:15:18| Cache dir '/usr/local/squid/cache' size remains unchanged a t 8388608 KB 2007/09/16 17:15:18| Extension method 'RPC_IN_DATA' added, enum=30 2007/09/16 17:15:18| Extension method 'RPC_OUT_DATA' added, enum=31 2007/09/16 17:15:18| Initialising SSL. 2007/09/16 17:15:18| User-Agent logging is disabled. 2007/09/16 17:15:18| Referer logging is disabled. 2007/09/16 17:15:18| DNS Socket created at 0.0.0.0, port 49795, FD 8 2007/09/16 17:15:18| Adding domain gdmckee.home from /etc/resolv.conf 2007/09/16 17:15:18| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2007/09/16 17:15:18| Accepting proxy HTTP connections at 192.168.0.1, port 3128, FD 9. 2007/09/16 17:15:18| Accepting accelerated HTTP connections at 82.36.186.17, por t 80, FD 11. 2007/09/16 17:15:18| Accepting HTTPS connections at 0.0.0.0, port 443, FD 12. 2007/09/16 17:15:18| Accepting ICP messages at 0.0.0.0, port 3130, FD 13. 2007/09/16 17:15:18| Accepting HTCP messages on port 4827, FD 14. 2007/09/16 17:15:18| WCCP Disabled. 2007/09/16 17:15:18| Configuring Parent 192.168.0.11/80/0 2007/09/16 17:15:18| Configuring Parent 192.168.0.1/80/0 2007/09/16 17:15:18| Loaded Icons. 2007/09/16 17:15:18| Ready to serve requests. Any help would be much appreciated. Many thanks Gordon