Yes, Users may have to pass through up to 2 proxies before reaching the one doing the NTLM authentication. Their clients are configured to actually use those proxies, the only allowed auth method is NTLM, beside the currently used IP based one which is to be disabled in the foreseeable future.
Most restraints we have here are based on (sometimes ridiculous) company rules we have to abide. So the fact that even a guy in China has to be authenticated in the main farm can't be changed. - sigh - -----Original Message----- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. Mai 2006 17:34 To: Baumgaertel, Oliver Cc: Adrian Chadd; squid-dev@squid-cache.org Subject: Re: NTLM forwarding in 2.6 ? I'm still not what sure what you mean; do you mean clients will speak NTLM to the intranet server but have squid configured as a web proxy? Adrian On Tue, May 16, 2006, Baumgaertel, Oliver wrote: > > > We have several layers of Proxies: > > User -> Region -> Region -> inner farm -|Firewall|-> DMZ farm > -|Firewall|-> Internet > User -----------> Region -> > User ---------------------> > > We do all our authentication/authorisation and filtering based on > user/group in the inner farm. Currently we mainly do authentication > based on the IP adress(-range) (around 95%) and only very few users are > authenticated via NTLM. However, we are under orders to change that in > the foreseeable future to pure NTLM. So that'll be for Proxy > authentication, server NTLM is only done within the intranet itself and > that's taken care of in the proxy settings of the clients. > > BlueCoats for example allow such a scenario with a thing called "NTLM > forwarding". As far as I am aware that's not possible with Squid right > now. So I wonder if that'll be part of the upcoming Stable 2.6/3 as > we've to start planning for the nescessary changes rather soon.