RE: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Hello all I'm glad to inform you that's I have found a workaround solution for outlook anywhere client via NTLM. I really didn't want to change any config of my clients outlook, who are actually configured on NTLM auth via Outlook RPC Proxy settings. Outlook Anywhere is configured in NTLM. Recently I have found that the main problem with squid was the double hop NTLM. So I though a different way : NTLM Clients credentials - SQUID - Basic Squid Auth - IIS RPC PROXY - NTLM client Credentials carried by squid - Outlook Anywhere And that works !! The trick is to enable both Integrated Windows Authentication (NTLM) AND Basic authentication on the Rpc virtual directory of IIS (6 for my own). On Squid you have to use login:DOMAIN\user:password to send a credential that can auth (I have used Admin one). Dunno if it's secure to use AD admin user/pass directly in squid.conf ? Anyway that works so I'll continue to test now with that config. Now I've to test activesync with Iphone, and after with my Blackberry Server Express. I can paste you some of my configurations if you need Regards Clem -Message d'origine- De : Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Envoyé : dimanche 18 mars 2012 12:36 À : clemf...@free.fr Cc : Amos Jeffries; squid-users@squid-cache.org Objet : R: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hi Clem, Currently it seems that a fully working reverse Proxy Open Source solution for Exchange 2007 and 2010 is not available. Squid is really near to be fully functional, but there are still some problems. Look my comments in this bug: http://bugs.squid-cache.org/show_bug.cgi?id=3141 Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled in front of a Exchange 2010 Server. RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry clients is still problematic. I have tried also to use 3.2, but things seems to be worse: RPC doesn't work at all. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Amos Jeffries [mailto:squ...@treenet.co.nz] Inviato: venerdì 16 marzo 2012 11.54 A: squid-users@squid-cache.org Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 14/03/2012 11:32 p.m., Clem wrote: Hello, Ok so I know exactly why squid can't forward ntlm credentials and stop at type1. It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client - squid (hop1) - IIS6 rpx proxy (hop2) - exchange 2007 That's why when I connect directly to my iis6 rpc proxy that works and when I connect through squid that request login/pass again and again. And we can clearly see that on https analyzes. ISA server has a workaround about this double hop issue as I have wrote in my last mail, I don't know if squid can act like this. I'm searching atm how to set iis6 perhaps to resolve this problem, but I don't want to break my exchange so I've to do my tests very carefully Cheers. I've added a mention of this to the NTLM issiues wiki page now for others to find along with the archive of these messages. Amos
RE: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Forgot the powershell command : get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm Infos there : http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-anywhere- ntlm-authentication-for-domain-based-and-workgroup-based-computers/ -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 22 mars 2012 14:32 À : squid-users@squid-cache.org Cc : Amos Jeffries; squid-users@squid-cache.org Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hello all I'm glad to inform you that's I have found a workaround solution for outlook anywhere client via NTLM. I really didn't want to change any config of my clients outlook, who are actually configured on NTLM auth via Outlook RPC Proxy settings. Outlook Anywhere is configured in NTLM. Recently I have found that the main problem with squid was the double hop NTLM. So I though a different way : NTLM Clients credentials - SQUID - Basic Squid Auth - IIS RPC PROXY - NTLM client Credentials carried by squid - Outlook Anywhere And that works !! The trick is to enable both Integrated Windows Authentication (NTLM) AND Basic authentication on the Rpc virtual directory of IIS (6 for my own). On Squid you have to use login:DOMAIN\user:password to send a credential that can auth (I have used Admin one). Dunno if it's secure to use AD admin user/pass directly in squid.conf ? Anyway that works so I'll continue to test now with that config. Now I've to test activesync with Iphone, and after with my Blackberry Server Express. I can paste you some of my configurations if you need Regards Clem -Message d'origine- De : Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Envoyé : dimanche 18 mars 2012 12:36 À : clemf...@free.fr Cc : Amos Jeffries; squid-users@squid-cache.org Objet : R: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hi Clem, Currently it seems that a fully working reverse Proxy Open Source solution for Exchange 2007 and 2010 is not available. Squid is really near to be fully functional, but there are still some problems. Look my comments in this bug: http://bugs.squid-cache.org/show_bug.cgi?id=3141 Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled in front of a Exchange 2010 Server. RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry clients is still problematic. I have tried also to use 3.2, but things seems to be worse: RPC doesn't work at all. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Amos Jeffries [mailto:squ...@treenet.co.nz] Inviato: venerdì 16 marzo 2012 11.54 A: squid-users@squid-cache.org Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 14/03/2012 11:32 p.m., Clem wrote: Hello, Ok so I know exactly why squid can't forward ntlm credentials and stop at type1. It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client - squid (hop1) - IIS6 rpx proxy (hop2) - exchange 2007 That's why when I connect directly to my iis6 rpc proxy that works and when I connect through squid that request login/pass again and again. And we can clearly see that on https analyzes. ISA server has a workaround about this double hop issue as I have wrote in my last mail, I don't know if squid can act like this. I'm searching atm how to set iis6 perhaps to resolve this problem, but I don't want to break my exchange so I've to do my tests very carefully Cheers. I've added a mention of this to the NTLM issiues wiki page now for others to find along with the archive of these messages. Amos
Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
On 14/03/2012 11:32 p.m., Clem wrote: Hello, Ok so I know exactly why squid can't forward ntlm credentials and stop at type1. It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client - squid (hop1) - IIS6 rpx proxy (hop2) - exchange 2007 That's why when I connect directly to my iis6 rpc proxy that works and when I connect through squid that request login/pass again and again. And we can clearly see that on https analyzes. ISA server has a workaround about this double hop issue as I have wrote in my last mail, I don't know if squid can act like this. I'm searching atm how to set iis6 perhaps to resolve this problem, but I don't want to break my exchange so I've to do my tests very carefully Cheers. I've added a mention of this to the NTLM issiues wiki page now for others to find along with the archive of these messages. Amos
Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
On 9/03/2012 1:21 a.m., Clem wrote: Back to send my feed back after testing proxy rpc via ntlm and squid 3.1.19, the main problem is I can't force sauid to use http1.1, in https analyzer I can see squid is http1.0. How can I force squid 3.1.19 to use http1.1 ? 3.1 series still sends HTTP/1.0 when communicating to clients because there are some critical HTTP features that are not supported in the 3.1 code (1xx status code handling being the major one). It is very likely the RPC software will attempt to use these features to work around NTLM issues if 1.1 is advertised by Squid. If that happens things go bad fast. If that 1.1 is the blocker requirement for RPC + HTTPS , then the only answer is to use 3.2 series. 3.2.0.16 is looking very good so far despite its beta status. So you might be able to use it. Amos