Amos I corrected squid.conf as you suggested regex acl also works as planned now (many thanks)
Squid.conf: ## visible_hostname OWAdomain cache_mgr postmaster@OWAdomain https_port 172.16.1.3:9070 accel vhost cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.pem cafile=/etc/ssl/CA/cacert.pem capath=/etc/ssl/CA/ sslcontext=id cache_peer 10.200.210.25 parent 9070 0 proxy-only no-query no-digest ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN login=PASS front-end-https=on cache_dir ufs /var/squid/cache 100 16 256 access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none logfile_rotate 100 pid_filename /var/squid/squid.pid acl OWA dstdomain OWAdomain acl OWA_DIRS urlpath_regex -i ^/(rpc|owa|oab|autodiscover|Microsoft-Server-ActiveSync|public|exchweb|exchange)($|/.*) never_direct allow OWA cache_peer_access 10.200.210.25 allow OWA http_access allow OWA OWA_DIRS http_access deny all ## But I still have no clue on OWA form based authentication problem I’ve done some tests and here is what I have in the logs: IIS log on OWA with Forms based authentication enabled connecting via SQUID (doesn’t work): ## 2011-10-04 17:30:39 10.200.210.25 POST /owa/auth.owa &ex=E002 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 400 0 0 156 ## 10.200.210.3 = internal FreeBSD (squid) box interface Relevant SQUID access.log: ## 1317749452.720 155 client_IP TCP_MISS/400 585 POST https://owadomain:9070/owa/auth.owa - FIRST_UP_PARENT/10.200.210.25 text/html ## IIS log on OWA with Forms based authentication enabled connecting directly from LAN (works normally): ## 2011-10-04 17:48:17 10.200.210.25 POST /owa/auth.owa - 9070 DOMAIN\User 10.200.210.100 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+InfoPath.2) 302 0 0 46 2011-10-04 17:48:17 10.200.210.25 GET /owa/forms/premium/StartPage.aspx &Initial+Budget>>Conn:1,HangingConn:0,AD:18000/18000/0%,CAS:90000/90000/0%,AB:18000/18000/0%,RPC:90000/90000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=8beafa9fb59c4656832510d0de6fadfd&prfltncy=105&prfrpccnt=45&prfrpcltncy=63&prfldpcnt=4&prfldpltncy=15&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/89922/1%,AB:18000/18000/0%,RPC:90000/89940/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm[Resources:(Mdb)HQ(Health:-1%,HistLoad:0),(DC) DC-SRV04.domain.LAN(Health:-1%,HistLoad:0),];GC:1/1/0; 9070 DOMAIN\User 10.200.210.100 Etc.. ## IIS log on OWA with Plain Text authentication enabled connecting via squid (works normally): ## 2011-10-04 18:51:55 10.200.210.25 GET /owa - 9070 - 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 401 2 5 4843 2011-10-04 18:52:09 10.200.210.25 GET /owa - 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 301 0 0 140 2011-10-04 18:52:14 10.200.210.25 GET /owa/forms/premium/StartPage.aspx &Initial+Budget>>Conn:1,HangingConn:0,AD:18000/18000/0%,CAS:90000/90000/0%,AB:18000/18000/0%,RPC:90000/90000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=027f8d52ea6f442b9d264c023d77385c&prfltncy=4728&prfrpccnt=84&prfrpcltncy=1218&prfldpcnt=30&prfldpltncy=79&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87251/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm[Resources:(Mdb)HQ(Health:-1%,HistLoad:0),(DC)DC-SRV01.domain.LAN(Health:-1%,HistLoad:0),(DC)DC-SRV02.sub.domain.LAN(Health:-1%,HistLoad:0),(DC)DC-SRV03.domain.LAN(Health:-1%,HistLoad:0),];GC:2/0/0; 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 0 4765 2011-10-04 18:52:15 10.200.210.25 POST /owa/ev.owa oeh=1&ns=PendingRequest&ev=FinishNotificationRequest&Fn=1&UA=0&cpc=294872;C0:0;C1:0;C2:0;C3:0;C4:0;C5:0;C6:0;C7:0;C8:0;C9:0;C10:0&Initial+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87251/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=027f8d52ea6f442b9d264c023d77385c&prfltncy=66&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87205/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 0 78 2011-10-04 18:52:15 10.200.210.25 POST /owa/ev.owa oeh=1&ns=ClientCache&ev=Get&Initial+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87205/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=027f8d52ea6f442b9d264c023d77385c&prfltncy=175&prfrpccnt=2&prfrpcltncy=0&prfldpcnt=11&prfldpltncy=31&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87034/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm[Resources:(Mdb)HQ(Health:-1%,HistLoad:0),] 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 0 171 etc.. ## Relevant SQUID access.log: ## 1317754329.098 4845 client_IP TCP_MISS/401 1805 GET https://OWAdomain:9070/owa - FIRST_UP_PARENT/10.200.210.25 text/html 1317754343.454 139 client_IP TCP_MISS/301 688 GET https://OWAdomain:9070/owa - FIRST_UP_PARENT/10.200.210.25 text/html 1317754348.261 4753 client_IP TCP_MISS/200 28103 GET https://OWAdomain:9070/owa/ - FIRST_UP_PARENT/10.200.210.25 text/html 1317754349.458 81 client_IP TCP_MISS/200 711 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754350.010 180 client_IP TCP_MISS/200 1394 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 application/x-javascript 1317754350.387 109 client_IP TCP_MISS/200 486 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 - 1317754350.518 140 client_IP TCP_MISS/200 4658 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754350.912 47 client_IP TCP_MISS/200 4856 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754351.026 18 client_IP TCP_MISS/200 4696 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754351.098 12 client_IP TCP_MISS/200 4375 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754351.171 11 client_IP TCP_MISS/200 4692 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754351.244 11 client_IP TCP_MISS/200 4788 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754351.405 97 client_IP TCP_MISS/200 6595 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754351.485 15 client_IP TCP_MISS/200 4161 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754351.565 18 client_IP TCP_MISS/200 4542 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754355.721 6208 client_IP TCP_MISS/200 1007 GET https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754355.960 209 client_IP TCP_MISS/302 697 GET https://OWAdomain:9070/owa/logoff.owa - FIRST_UP_PARENT/10.200.210.25 text/html 1317754355.961 222 client_IP TCP_MISS/200 711 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 text/html 1317754356.041 30 client_IP TCP_MISS/200 2661 GET https://OWAdomain:9070/owa/auth/logoff.aspx? - FIRST_UP_PARENT/10.200.210.25 text/html ## I would not mind against plain text auth since it is done over ssl but the problem is that Safari browser on iPhones and iPads doesn’t keep login and pass data for such login interface and people complain they have to input it everytime. Any suggestions greatly appreciated. Sergey
