Re: [squid-users] RPC over HTTPS for Terminal Services Gateway
Hi, At 10.23 24/11/2008, Andreas Adler wrote: Hi there I am running Squid 3.0 PRE6 as a reverse proxy for many applications and services. RPC over HTTPS for Exchange/OWA is running fine for a long time. Recently I tried to pass the TS Gateway through Squid, but this is giving me a very hard time. TS Gateway is using RPC over HTTPS just like Exchange does, but I always get an authentication error. Here is what I get: -- TCP_MISS/401 399 RPC_IN_DATA https://server.domain.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/server.domain.com text/plain -- Here is my access rule: cache_peer server.domain.com parent 443 0 proxy-only no-query originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER Does anybody run a Terminal Services Gateway (TS Gateway) being proxied through squid? Could there be something wrong with some NTLM passthrough? I am pretty clueless on this, so any help is very appreciated! I never tested TS Gateway on Squid, but usually Exchange RPC over HTTPS works better using Basic authentication over SSL. Another thing to verify is the Reverse Proxy SSL certificate: using self signed certificates for Echange RPC over HTTPS, Outlook fails silently if the CA is not trusted. Regards Guido Thanks a lot! Andreas Adler - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] RPC over HTTPS
On Thu, Sep 27, 2007, Washington Odhiambo wrote: > Hello there > > If you guys get a working solution for this RPC over HTTP(S) thing, > I'd be most grateful if you share the whole details of how you did it. > > Please CC me at least. http://wiki.squid-cache.org/ConfigExamples/ Adrian
Re: [squid-users] RPC over HTTPS
Hello there If you guys get a working solution for this RPC over HTTP(S) thing, I'd be most grateful if you share the whole details of how you did it. Please CC me at least. TIA ./Wash
Re: [squid-users] RPC over HTTPS
On tor, 2007-09-20 at 00:03 +0100, Gordon McKee wrote: > Hi > > I have used the ca-bundle.crt file and a cafile= in the https_port section > and I still get the followng error: It's cache_peer you need to give the CA information to. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
Hi I have used the ca-bundle.crt file and a cafile= in the https_port section and I still get the followng error: 2007/09/19 23:58:49| Detected DEAD Parent: opls 2007/09/19 23:58:49| SSL unknown certificate error 20 in /C=GB/ST=West Midlands/L=Solihull/O=Optimal Profit Ltd/OU=StartCom Free Certificate Member/OU=Domain validated only/CN=www.opti***fit.com/emailAddress=ckee.com 2007/09/19 23:58:49| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) 2007/09/19 23:58:49| TCP connection to 192.168.0.11/443 failed Sorry to be a pain - but the certificate file is an export of the on in iis and the ca-bundle file is all the inter ca's and I appended the root ca at the top for good measure and stil no luck? How can I get a certificate to validate mine? Many thanks Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, September 19, 2007 7:06 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
On ons, 2007-09-19 at 16:17 +0100, Gordon McKee wrote: > Hi > > I have changes the https_port line to: > > https_port 82.36.186.17:443 cert=/usr/local/etc/squid/opl20070919.pem > capath=/etc/ssl/certs defaultsite=www.optimalprofit.com > > and out all the certificates in /etc/ssl/certs and it still doesn not work. > Is there a simple how to on how to get these certificates to work? capath needs a OpenSSL certificate directory. This has a bit special format. Easier to use cafile which is just a single file with all the relevant certificates in it, one after the other.. The effect is pretty much the same. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
Hi I have changes the https_port line to: https_port 82.36.186.17:443 cert=/usr/local/etc/squid/opl20070919.pem capath=/etc/ssl/certs defaultsite=www.optimalprofit.com and out all the certificates in /etc/ssl/certs and it still doesn not work. Is there a simple how to on how to get these certificates to work? Many thanks for all your help. Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, September 18, 2007 8:42 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
Hi Thanks for the info - it all makes sence!! I have got the Root and Inter CA files from the certificate vendor. Link here: http://cert.startcom.org/?lang=en&app=110 and downloaded the pem for the root ca and the bundle file and none of the seem to work. I also tried my cert file to see if it would self sign - a long shot, and it didn't work. Would the easiest way be to add the Root CA and Inter Ca's intoo the certificate store on the FreeBSD box? Or, do I have to conver the CA certs to another format (but they are in pem format)? Many thanks Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, September 18, 2007 8:42 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
On tis, 2007-09-18 at 20:31 +0100, Gordon McKee wrote: > 19: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed (1/-1/0) Your Squid is not trusting the CA that has issued the server certificate of the web server. As you have already exported the certificate the easiest "fix" is to specify cafile=/path/to/certificate.pem, and will work until the certificate is renewed.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
On tis, 2007-09-18 at 17:38 +0100, Gordon McKee wrote: > After a bit debug switching on, I have found out that squid is not passing > https traffic correctly. Or your server is not accepting it from an https frontend... > Would a cache_peer 443 entry work and drop the auto frontend? Most likely. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] RPC over HTTPS
Hi I have switched off http in on port 80 to make sure https reverse proxy is working. This must be the problem!! I have exported the certificate from iis and used the instructions below: http://www.petefreitag.com/item/16.cfm Now I get : 2007/09/18 20:21:51| Detected DEAD Parent: opls 2007/09/18 20:21:51| SSL unknown certificate error 20 in /C=GB/ST=West Midlands/L=Solihull/O=Optimal Profit Ltd/OU=StartCom Free Certificate Member/OU=Domain validated only/CN=www.optimalprofit.com/[EMAIL PROTECTED] 2007/09/18 20:21:51| fwdNegotiateSSL: Error negotiating SSL connection on FD 19: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) 2007/09/18 20:21:51| TCP connection to 192.168.0.11/443 failed 2007/09/18 20:23:31| Detected REVIVED Parent: opls Has anyone got any ideas how to get the certificates talking to each other? Many thanks Gordon - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Gordon McKee" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, September 18, 2007 4:30 PM Subject: Re: [squid-users] RPC over HTTPS
Re: [squid-users] RPC over HTTPS
On tis, 2007-09-18 at 10:00 +0100, Gordon McKee wrote: > When I try to connect in I get the following error: > > 2007/09/18 09:35:38| httpReadReply: Request not yet fully sent "RPC_IN_DATA > https://www.optimalprofit.com/rpc/rpcproxy.dll?nt-opro-h3.gdmckee.home:6002"; This message is seen if the response is sent by the server before the POST:ed data has been transmitted.. A guess is that the server don't like you, or that you are forwarding the request to the wrong server... What do access.log say? Regards Henrik signature.asc Description: This is a digitally signed message part