FW: [squid-users] Squid, ISA and Sharepoint

2008-02-27 Thread Dwyer, Simon 
Hi again,

I have got even more info on how this would like to be done.

They are talking about they might want to use Forms authentication for users
on the internet and from what I think I understand that is basicly just a
.net website so that should be too hard to get running :\

But in the end they would really like AD authentication without forms
because forms reports the username differently to sharepoint it seems.

If I was not to use NTLM but simple ldap calls to AD would this allow me to
authenticate on squid then send the credentials strait through to sharepoint
for it to be authenticated again there?  From what I see the auth type needs
to be kept to the basic type to be able to pass through? Could someone
elaborate here for me?

Sorry for all the questions but I have spent a lot of time googling and cant
really get a definite answer.

Cheers,

Simon Dwyer

-Original Message-
From: Dwyer, Simon 
Sent: Wednesday, 27 February 2008 11:26 AM
To: Dwyer, Simon
Subject: RE: [squid-users] Squid, ISA and Sharepoint

Hi all,

I have now been given a rundown on what the company wants to do with the
reverse proxy.

Basically they want to serve a sharepoint server via a reverse proxy that
will do authentication with AD, Forms authentication and Anon access
(guest).

They want to do authentication on the proxy and then have the proxy pass the
credentials through to sharepoint so they wont have to authenticate again.
They are saying ISA will do this fine (have not really looked into it).

They want to do the auth on the proxy so that the authentication happens
before the connection gets into the internal network.

Will this be possible with Squid, be it 2.6 or 3.0? 

Cheers in advance.

Simon Dwyer
-Original Message-
From: Dwyer, Simon 
Sent: Tuesday, 19 February 2008 8:28 AM
To: 'Kinkie'; Adrian Chadd
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid, ISA and Sharepoint

This is the kind if information and insight I was after.   Thanks for the
ideas guys :)

Simon.

-Original Message-
From: Kinkie [mailto:[EMAIL PROTECTED] 
Sent: Monday, 18 February 2008 5:38 PM
To: Adrian Chadd
Cc: Dwyer, Simon; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid, ISA and Sharepoint

On Feb 18, 2008 7:37 AM, Adrian Chadd [EMAIL PROTECTED] wrote:
 On Mon, Feb 18, 2008, Dwyer, Simon wrote:

  I believe they want to authenticate twice but I do not really see the
point.
  They will have to authenticate with the sharepoint no matter what
happens.
 
  Is it possible to get squid to authenticate a user using Active
Directory
  while reverse proxying?

 I'm not sure if Squid can do NTLM authentication as an origin server.
 I know it can just pass through the requests and let the sharepoint server
 do authentication.

 Henrik? Robert? Kinkie?

It should work just fine, there's nothing in the code that I remember
preventing it. The only way to be sure is just trying :)

Authenticating in NTLM over the Internet however is, in my opinion,
pointless and even dangerous - even Microsoft recommends against it
(or at least used to).
It allows anyone on the Internet to mount a wide range of DOS attacks
against AD - I'm not talking about a performance DOS, what I'm
referring to is the possibility to lock one (or all) users out of
logging on their PC.

-- 
/kinkie

RE: [squid-users] Squid, ISA and Sharepoint

2008-02-18 Thread Dwyer, Simon 
This is the kind if information and insight I was after.   Thanks for the
ideas guys :)

Simon.

-Original Message-
From: Kinkie [mailto:[EMAIL PROTECTED] 
Sent: Monday, 18 February 2008 5:38 PM
To: Adrian Chadd
Cc: Dwyer, Simon; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid, ISA and Sharepoint

On Feb 18, 2008 7:37 AM, Adrian Chadd [EMAIL PROTECTED] wrote:
 On Mon, Feb 18, 2008, Dwyer, Simon wrote:

  I believe they want to authenticate twice but I do not really see the
point.
  They will have to authenticate with the sharepoint no matter what
happens.
 
  Is it possible to get squid to authenticate a user using Active
Directory
  while reverse proxying?

 I'm not sure if Squid can do NTLM authentication as an origin server.
 I know it can just pass through the requests and let the sharepoint server
 do authentication.

 Henrik? Robert? Kinkie?

It should work just fine, there's nothing in the code that I remember
preventing it. The only way to be sure is just trying :)

Authenticating in NTLM over the Internet however is, in my opinion,
pointless and even dangerous - even Microsoft recommends against it
(or at least used to).
It allows anyone on the Internet to mount a wide range of DOS attacks
against AD - I'm not talking about a performance DOS, what I'm
referring to is the possibility to lock one (or all) users out of
logging on their PC.

-- 
/kinkie

[squid-users] Squid, ISA and Sharepoint

2008-02-17 Thread Dwyer, Simon 

Hey everyone,

The company I am working for is trying to push MS ISA into the dmz... sigh.
We currently run ISA on our internal network which all the machines talk to
for their proxy which in turn talks to the squid server in the dmz as an
upstream proxy.   We have done it this way as the company wants to use
SurfControl and name resolution seems to work better with ISA.

They are installing a Sharepoint server which they will want to give access
to people from the internet as well as internal.  This brought up the debate
on having the ISA server in the DMZ to do the authentication.  We currently
have squid already doing reverse proxy for some websites and works a treat.

I believe they want to authenticate twice but I do not really see the point.
They will have to authenticate with the sharepoint no matter what happens.

Is it possible to get squid to authenticate a user using Active Directory
while reverse proxying?

Cheers,

Simon

Re: [squid-users] Squid, ISA and Sharepoint

2008-02-17 Thread Adrian Chadd 
On Mon, Feb 18, 2008, Dwyer, Simon wrote:

 I believe they want to authenticate twice but I do not really see the point.
 They will have to authenticate with the sharepoint no matter what happens.
 
 Is it possible to get squid to authenticate a user using Active Directory
 while reverse proxying?

I'm not sure if Squid can do NTLM authentication as an origin server.
I know it can just pass through the requests and let the sharepoint server
do authentication.

Henrik? Robert? Kinkie?



Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

Re: [squid-users] Squid, ISA and Sharepoint

2008-02-17 Thread Kinkie 
On Feb 18, 2008 7:37 AM, Adrian Chadd [EMAIL PROTECTED] wrote:
 On Mon, Feb 18, 2008, Dwyer, Simon wrote:

  I believe they want to authenticate twice but I do not really see the point.
  They will have to authenticate with the sharepoint no matter what happens.
 
  Is it possible to get squid to authenticate a user using Active Directory
  while reverse proxying?

 I'm not sure if Squid can do NTLM authentication as an origin server.
 I know it can just pass through the requests and let the sharepoint server
 do authentication.

 Henrik? Robert? Kinkie?

It should work just fine, there's nothing in the code that I remember
preventing it. The only way to be sure is just trying :)

Authenticating in NTLM over the Internet however is, in my opinion,
pointless and even dangerous - even Microsoft recommends against it
(or at least used to).
It allows anyone on the Internet to mount a wide range of DOS attacks
against AD - I'm not talking about a performance DOS, what I'm
referring to is the possibility to lock one (or all) users out of
logging on their PC.

-- 
/kinkie