Re: [squid-users] NTLM-transparent?

From: nairb rotsak <ipguru99_at_yahoo.com>
Date: Sun, 29 Jun 2008 16:13:47 -0700 (PDT)

Ok... now I am confused. I haven't set it up in a test environment, but apparently I will have to. Henrik, is it because I am using DG? I just could swear I read somewhere that NTLM using a transparent proxy doesn't work? ----- Original Message ---- From: Nick Duda <nduda_at_VistaPrint.com> To: Henrik Nordstrom <henrik_at_henriknordstrom.net>; nairb rotsak <ipguru99_at_yahoo.com> Cc: "squid-users_at_squid-cache.org" <squid-users_at_squid-cache.org> Sent: Sunday, June 29, 2008 6:01:53 PM Subject: RE: [squid-users] NTLM-transparent? We do NTLM auth with squid setup transparently. We get all the names and IP's in the logs and it works great, no issues (Stable) in a 400 person call center that bangs away on an internal web application very heavily. We use SmartFilter and Squid to achieve this. - Nick ________________________________________ From: Henrik Nordstrom [henrik_at_henriknordstrom.net] Sent: Sunday, June 29, 2008 5:57 PM To: nairb rotsak Cc: squid-users_at_squid-cache.org Subject: Re: [squid-users] NTLM-transparent? On sön, 2008-06-29 at 08:48 -0700, nairb rotsak wrote: > I am used to running Squid/Dansguardian/Samba with ntlm auth. But I > have always used it as a stand-alone proxy.. never at the gateway. I > do it this way because I was always told that the usernames will not > show up in logs (ntlm's fault.. not Squid) when Squid is in > transparent mode. True.. > Is this still true? How the heck does the iPrism do it? ;-) They may have hacked Squid to allow NTLM WWW authentication (not proxy authentication) in transparent interception mode. Highly unstandard, and only works for the non-standard connection oriented auth schemes (NTLM/Negotiate/Kerberos). Another possibility is that they use an IP session cache, redirecting the user to "the gateway webserver" for authentication if no already established session, and link this to Squid via external_acl_type providing the username of the session based on the client IP. Have done this myself in another product (also squid based), and requires some additional software to keep track of the sessions. Regards Henrik
Received on Sun Jun 29 2008 - 23:13:54 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 30 2008 - 12:00:05 MDT