Hello all
I'm glad to inform you that's I have found a workaround solution for outlook
anywhere client via NTLM.
I really didn't want to change any config of my clients outlook, who are
actually configured on NTLM auth via Outlook RPC Proxy settings.
Outlook Anywhere is configured in NTLM.
Recently I have found that the main problem with squid was the double hop
NTLM.
So I though a different way : NTLM Clients credentials -> SQUID -> Basic
Squid Auth -> IIS RPC PROXY -> NTLM client Credentials carried by squid ->
Outlook Anywhere
And that works !! The trick is to enable both "Integrated Windows
Authentication" (NTLM) AND "Basic authentication" on the Rpc virtual
directory of IIS (6 for my own).
On Squid you have to use login:DOMAIN\user:password to send a credential
that can auth (I have used Admin one). Dunno if it's secure to use AD admin
user/pass directly in squid.conf ?
Anyway that works so I'll continue to test now with that config.
Now I've to test activesync with Iphone, and after with my Blackberry Server
Express.
I can paste you some of my configurations if you need
Regards
Clem
-----Message d'origine-----
De : Guido Serassio [mailto:guido.serassio_at_acmeconsulting.it]
Envoyé : dimanche 18 mars 2012 12:36
À : clemfree_at_free.fr
Cc : Amos Jeffries; squid-users_at_squid-cache.org
Objet : R: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
exchange2007 with ntlm
Hi Clem,
Currently it seems that a fully working reverse Proxy Open Source solution
for Exchange 2007 and 2010 is not available.
Squid is really near to be fully functional, but there are still some
problems.
Look my comments in this bug:
http://bugs.squid-cache.org/show_bug.cgi?id=3141
Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled
in front of a Exchange 2010 Server.
RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry
clients is still problematic.
I have tried also to use 3.2, but things seems to be worse: RPC doesn't work
at all.
Regards
Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio_at_acmeconsulting.it
WWW: http://www.acmeconsulting.it
> -----Messaggio originale-----
> Da: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Inviato: venerdì 16 marzo 2012 11.54
> A: squid-users_at_squid-cache.org
> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc
> proxy
> ii6 exchange2007 with ntlm
>
> On 14/03/2012 11:32 p.m., Clem wrote:
> > Hello,
> >
> > Ok so I know exactly why squid can't forward ntlm credentials and
> > stop
> at
> > type1. It's facing the double hop issue, ntlm credentials can be
> > sent
> only
> > on one hop, and is lost with 2 hops like : client -> squid (hop1)
> > ->
> IIS6
> > rpx proxy (hop2) -> exchange 2007
> >
> > That's why when I connect directly to my iis6 rpc proxy that works
> > and
> when
> > I connect through squid that request login/pass again and again. And
> > we
> can
> > clearly see that on https analyzes.
> >
> > ISA server has a workaround about this double hop issue as I have
> > wrote
> in
> > my last mail, I don't know if squid can act like this.
> >
> > I'm searching atm how to set iis6 perhaps to resolve this problem,
> > but I don't want to "break" my exchange so I've to do my tests very
> > carefully
>
> Cheers. I've added a mention of this to the NTLM issiues wiki page now
> for others to find along with the archive of these messages.
>
> Amos
Received on Thu Mar 22 2012 - 13:31:43 MDT
This archive was generated by hypermail 2.2.0 : Thu Mar 22 2012 - 12:00:03 MDT