[squid-users] RPC over HTTPS with NTLM in pretty weird setup

From: Toni Van Remortel <toni.van.remortel_at_p-ops.be>
Date: Tue, 2 Feb 2010 11:53:31 +0000

Hi,

We are migrating to Exchange from another Exchange-like product, and I still struggle with NTLM authentication for the remote users with Outlook (RCP over HTTPS).

The setup is:
- Firewall with Squid 2.6.18-1ubuntu3 (manually compiled to enable SSL)
- Exchange in the LAN
- Exchange-like product on the firewall, using Apache2 (still in production)

I found some examples on the net to proxy certain URL's to the local Apache and all other to Exchange.

For laptops, this setup works when I use Basic authentication, but that creates annoying password prompts when the laptop user is in the LAN.

Squid.conf:
        visible_hostname mail.company.com
        persistent_connection_after_error on
        
        ###############################################################################
        # Exchange 2010
        # extensions for Exchange RPC over HTTPS
        extension_methods RPC_IN_DATA RPC_OUT_DATA
        
        # We listen on 195.xxx.xxx.xxx, our primary line
        # mail.company.com.crt is an official certificate
        https_port 195.xxx.xxx.xxx:443 cert=/etc/ssl/keys/mail.company.com.crt key=/etc/ssl/keys/mail.company.com.pem defaultsite=mail.company.com
        # We also listen on 212.xxx.xxx.xxx, a 2nd line for testing ActiveSync on Exchange
        # 212.xxx.xxx.xxx.crt is a self generated certificate
        https_port 212.xxx.xxx.xxx:443 cert=/etc/ssl/keys/212.xxx.xxx.xxx.crt key=/etc/ssl/keys/212.xxx.xxx.xxx.pem defaultsite=212.xxx.xxx.xxx
        
        # localhost has Apache running, 192.168.xxx.xxx is the Exchange Server
        cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/ssl/keys/mail.company.com.pem sslkey=/etc/ssl/keys/mail.company.com.pem name=webServer
        cache_peer 192.168.xxx.xxx parent 443 0 proxy-only no-query no-digest originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER name=exchangeServer
        
        # Send the ActiveSync on the main line to the local Apache for the Exchange-like product, which is still in use
        acl web_url url_regex -i mail.company.com/Microsoft-Server-ActiveSync
        
        # Send the webserver URLs to the webserver
        cache_peer_access webServer allow web_url
        # Send everything else to the Exchange server
        cache_peer_access exchangeServer deny web_url

        # This is to protect ourselves
        never_direct allow web_url
        
        # settings caching and logging
        redirect_rewrites_host_header off
        cache_mem 32 MB
        maximum_object_size_in_memory 128 KB
        cache_log none
        cache_store_log none
        
        debug_options ALL, 8
        access_log /var/log/squid/access.log squid
        
        ###############################################################################
        # ACL - required to allow
        acl all src 0.0.0.0/0.0.0.0
        
        http_access allow all
        miss_access allow all
        
So far this setup works for ActiveSync via the 2nd line.
Outlook Anywhere (RPC over HTTPS) only gives me this is access.log:
        1265109372.999     23 10.11.11.149 TCP_MISS/401 430 RPC_IN_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
        1265109372.999     20 10.11.11.149 TCP_MISS/401 430 RPC_OUT_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html

Any thoughts on this setup?
How to fix NTLM auth for laptop users?

Thanks,

Toni Van Remortel
Received on Tue Feb 02 2010 - 11:53:44 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 02 2010 - 12:00:03 MST