Re: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

From: Clem <clemfree_at_free.fr>
Date: Thu, 22 Mar 2012 21:40:22 +0100

For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a test
client on XP, I'll test a client on windows7.

No config for blackberry devices, they don't use activesync but the
connection to blackberry server directly connected to our exchange.

Le 22/03/2012 15:50, Clem a écrit :
> I've tested activesync with this tool
> https://store.accessmylan.com/main/diagnostic-tools , all is OK ! I will be
> able to put my front-end squid proxy for exchange 2007 in production soon !
>
>
> -----Message d'origine-----
> De : Clem [mailto:clemfree_at_free.fr]
> Envoyé : jeudi 22 mars 2012 14:40
> À : 'Clem'; 'squid-users_at_squid-cache.org'
> Cc : 'Amos Jeffries'; 'squid-users_at_squid-cache.org'
> Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy
> ii6 exchange2007 with ntlm
>
> Forgot the powershell command :
>
> get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm
>
> Infos there :
> http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-anywhere-
> ntlm-authentication-for-domain-based-and-workgroup-based-computers/
>
> -----Message d'origine-----
> De : Clem [mailto:clemfree_at_free.fr]
> Envoyé : jeudi 22 mars 2012 14:32
> À : squid-users_at_squid-cache.org
> Cc : Amos Jeffries; squid-users_at_squid-cache.org Objet : RE: TR:
> [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007
> with ntlm
>
> Hello all
>
> I'm glad to inform you that's I have found a workaround solution for outlook
> anywhere client via NTLM.
> I really didn't want to change any config of my clients outlook, who are
> actually configured on NTLM auth via Outlook RPC Proxy settings.
>
> Outlook Anywhere is configured in NTLM.
>
> Recently I have found that the main problem with squid was the double hop
> NTLM.
>
> So I though a different way : NTLM Clients credentials -> SQUID -> Basic
> Squid Auth -> IIS RPC PROXY -> NTLM client Credentials carried by squid ->
> Outlook Anywhere
>
> And that works !! The trick is to enable both "Integrated Windows
> Authentication" (NTLM) AND "Basic authentication" on the Rpc virtual
> directory of IIS (6 for my own).
> On Squid you have to use login:DOMAIN\user:password to send a credential
> that can auth (I have used Admin one). Dunno if it's secure to use AD admin
> user/pass directly in squid.conf ?
> Anyway that works so I'll continue to test now with that config.
>
> Now I've to test activesync with Iphone, and after with my Blackberry Server
> Express.
>
> I can paste you some of my configurations if you need
>
> Regards
>
> Clem
>
>
>
> -----Message d'origine-----
> De : Guido Serassio [mailto:guido.serassio_at_acmeconsulting.it]
> Envoyé : dimanche 18 mars 2012 12:36
> À : clemfree_at_free.fr
> Cc : Amos Jeffries; squid-users_at_squid-cache.org Objet : R: TR: [squid-users]
> https analyze, squid rpc proxy to rpc proxy ii6
> exchange2007 with ntlm
>
> Hi Clem,
>
> Currently it seems that a fully working reverse Proxy Open Source solution
> for Exchange 2007 and 2010 is not available.
>
> Squid is really near to be fully functional, but there are still some
> problems.
> Look my comments in this bug:
> http://bugs.squid-cache.org/show_bug.cgi?id=3141
>
> Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled
> in front of a Exchange 2010 Server.
> RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry
> clients is still problematic.
>
> I have tried also to use 3.2, but things seems to be worse: RPC doesn't work
> at all.
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Silver Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135 Fax. : +39.011.9781115
> Email: guido.serassio_at_acmeconsulting.it
> WWW: http://www.acmeconsulting.it
>
>
>> -----Messaggio originale-----
>> Da: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
>> Inviato: venerdì 16 marzo 2012 11.54
>> A: squid-users_at_squid-cache.org
>> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc
>> proxy
>> ii6 exchange2007 with ntlm
>>
>> On 14/03/2012 11:32 p.m., Clem wrote:
>>> Hello,
>>>
>>> Ok so I know exactly why squid can't forward ntlm credentials and
>>> stop
>> at
>>> type1. It's facing the double hop issue, ntlm credentials can be
>>> sent
>> only
>>> on one hop, and is lost with 2 hops like : client -> squid (hop1)
>>> ->
>> IIS6
>>> rpx proxy (hop2) -> exchange 2007
>>>
>>> That's why when I connect directly to my iis6 rpc proxy that works
>>> and
>> when
>>> I connect through squid that request login/pass again and again. And
>>> we
>> can
>>> clearly see that on https analyzes.
>>>
>>> ISA server has a workaround about this double hop issue as I have
>>> wrote
>> in
>>> my last mail, I don't know if squid can act like this.
>>>
>>> I'm searching atm how to set iis6 perhaps to resolve this problem,
>>> but I don't want to "break" my exchange so I've to do my tests very
>>> carefully
>> Cheers. I've added a mention of this to the NTLM issiues wiki page now
>> for others to find along with the archive of these messages.
>>
>> Amos
>
Received on Thu Mar 22 2012 - 20:40:36 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 23 2012 - 12:00:04 MDT