Need help to configure MS Exchange RPC over HTTP

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Need help to configure MS Exchange RPC over HTTP

Ruiyuan Jiang
Hi, when I tried to test accessing MS exchange server, the outlook just kept prompt for the user name and password without luck. Here is the message from squid's access.log from the test:

1337803935.354      6 207.46.14.62 TCP_MISS/200 294 RPC_IN_DATA https://webmail.juicycouture.com/Rpc/RpcProxy.dll - PINNED/exchangeServer application/rpc
1337803937.876      6 207.46.14.62 TCP_MISS/401 666 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
1337803937.965     11 207.46.14.62 TCP_MISS/401 389 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
1337803938.144      6 207.46.14.62 TCP_MISS/401 666 RPC_OUT_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
1337803938.229      6 207.46.14.62 TCP_MISS/401 389 RPC_OUT_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html


Here is my squid.conf for the test:

https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com

cache_peer internal_ex_serv parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=exchangeServer

acl EXCH dstdomain .juicycouture.com

cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH

http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all


Where did I do wrong? I also tried a different squid.conf (basically remove all the ACLs) but got the same message in access.log:

https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com

cache_peer internal_ex_serv parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=exchangeServer

cache_peer_access exchangeServer allow all

http_access allow all
miss_access allow all

Thanks.

Ryan Jiang



This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

Reply | Threaded
Open this post in threaded view
|

Re: Need help to configure MS Exchange RPC over HTTP

cl00m
Hello Ruiyan,

Which auth have you set in your outlook anywhere setting ? Squid works
fine with Basic but has big troubles with NTLM.

regards

Clem

Le 23/05/2012 22:38, Ruiyuan Jiang a écrit :

> Hi, when I tried to test accessing MS exchange server, the outlook just kept prompt for the user name and password without luck. Here is the message from squid's access.log from the test:
>
> 1337803935.354      6 207.46.14.62 TCP_MISS/200 294 RPC_IN_DATA https://webmail.juicycouture.com/Rpc/RpcProxy.dll - PINNED/exchangeServer application/rpc
> 1337803937.876      6 207.46.14.62 TCP_MISS/401 666 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
> 1337803937.965     11 207.46.14.62 TCP_MISS/401 389 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
> 1337803938.144      6 207.46.14.62 TCP_MISS/401 666 RPC_OUT_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
> 1337803938.229      6 207.46.14.62 TCP_MISS/401 389 RPC_OUT_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
>
>
> Here is my squid.conf for the test:
>
> https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com
>
> cache_peer internal_ex_serv parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=exchangeServer
>
> acl EXCH dstdomain .juicycouture.com
>
> cache_peer_access exchangeServer allow EXCH
> cache_peer_access exchangeServer deny all
> never_direct allow EXCH
>
> http_access allow EXCH
> http_access deny all
> miss_access allow EXCH
> miss_access deny all
>
>
> Where did I do wrong? I also tried a different squid.conf (basically remove all the ACLs) but got the same message in access.log:
>
> https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com
>
> cache_peer internal_ex_serv parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=exchangeServer
>
> cache_peer_access exchangeServer allow all
>
> http_access allow all
> miss_access allow all
>
> Thanks.
>
> Ryan Jiang
>
>
>
> This message (including any attachments) is intended
> solely for the specific individual(s) or entity(ies) named
> above, and may contain legally privileged and
> confidential information. If you are not the intended
> recipient, please notify the sender immediately by
> replying to this message and then delete it.
> Any disclosure, copying, or distribution of this message,
> or the taking of any action based on it, by other than the
> intended recipient, is strictly prohibited.
>
>
Reply | Threaded
Open this post in threaded view
|

RE: Need help to configure MS Exchange RPC over HTTP

Ruiyuan Jiang
Thanks for the reply, Clem.

We use NTLM for authentication. We may be able to enable HTTP authentication for the virtual directory (/rpc) but we may not be able to do that for the whole exchange since some other programs use NTLM auth.

After I posted the message, I compared my Apache reverse proxy server log for MS RPC and squid's log for MS RPC. I noticed the message are the same (http code 200 and 401). I used very old Apache for that since newer Apache does not support MS RPC over http.

Ruiyuan Jiang


-----Original Message-----
From: Clem [mailto:[hidden email]]
Sent: Thursday, May 24, 2012 1:47 AM
To: Ruiyuan Jiang
Cc: [hidden email]
Subject: Re: [squid-users] Need help to configure MS Exchange RPC over HTTP

Hello Ruiyan,

Which auth have you set in your outlook anywhere setting ? Squid works
fine with Basic but has big troubles with NTLM.

regards

Clem

Le 23/05/2012 22:38, Ruiyuan Jiang a écrit :

> Hi, when I tried to test accessing MS exchange server, the outlook just kept prompt for the user name and password without luck. Here is the message from squid's access.log from the test:
>
> 1337803935.354      6 207.46.14.62 TCP_MISS/200 294 RPC_IN_DATA https://webmail.juicycouture.com/Rpc/RpcProxy.dll - PINNED/exchangeServer application/rpc
> 1337803937.876      6 207.46.14.62 TCP_MISS/401 666 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
> 1337803937.965     11 207.46.14.62 TCP_MISS/401 389 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
> 1337803938.144      6 207.46.14.62 TCP_MISS/401 666 RPC_OUT_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
> 1337803938.229      6 207.46.14.62 TCP_MISS/401 389 RPC_OUT_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
>
>
> Here is my squid.conf for the test:
>
> https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com
>
> cache_peer internal_ex_serv parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=exchangeServer
>
> acl EXCH dstdomain .juicycouture.com
>
> cache_peer_access exchangeServer allow EXCH
> cache_peer_access exchangeServer deny all
> never_direct allow EXCH
>
> http_access allow EXCH
> http_access deny all
> miss_access allow EXCH
> miss_access deny all
>
>
> Where did I do wrong? I also tried a different squid.conf (basically remove all the ACLs) but got the same message in access.log:
>
> https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com
>
> cache_peer internal_ex_serv parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=exchangeServer
>
> cache_peer_access exchangeServer allow all
>
> http_access allow all
> miss_access allow all
>
> Thanks.
>
> Ryan Jiang
>
>
>
> This message (including any attachments) is intended
> solely for the specific individual(s) or entity(ies) named
> above, and may contain legally privileged and
> confidential information. If you are not the intended
> recipient, please notify the sender immediately by
> replying to this message and then delete it.
> Any disclosure, copying, or distribution of this message,
> or the taking of any action based on it, by other than the
> intended recipient, is strictly prohibited.
>
>



This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

Reply | Threaded
Open this post in threaded view
|

RE: Need help to configure MS Exchange RPC over HTTP

Ruiyuan Jiang
Hi, Clem

I am reading your post

http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html

In the post, someone stated that NTLM auth does not support:

It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client -> squid (hop1) IIS6 rpx proxy (hop2) -> exchange 2007

That is not true. Here we have the setup:

Client -> Apache (hop1) -> IIS 7 -> exchange 2007

It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.

https://issues.apache.org/bugzilla/show_bug.cgi?id=40029

I am not sure why squid does not support NTLM auth to the backend exchange server.

Ruiyuan





This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

Reply | Threaded
Open this post in threaded view
|

Need help to configure MS Exchange RPC over HTTP

Ruiyuan Jiang
In reply to this post by Ruiyuan Jiang
By the way, NTLM works with windows 7 client through Apache here.


Hi, Clem

I am reading your post

http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html

In the post, someone stated that NTLM auth does not support:

It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client -> squid (hop1) IIS6 rpx proxy (hop2) -> exchange 2007

That is not true. Here we have the setup:

Client -> Apache (hop1) -> IIS 7 -> exchange 2007

It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.

https://issues.apache.org/bugzilla/show_bug.cgi?id=40029

I am not sure why squid does not support NTLM auth to the backend exchange server.

Ruiyuan





This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

Reply | Threaded
Open this post in threaded view
|

Re: Need help to configure MS Exchange RPC over HTTP

cl00m
Hi Ruiyuan,

 >Client -> Apache (hop1) -> IIS 7 -> exchange 2007 It works the setup
and just I could not have the latest Apache. Otherwise I will continue
to use Apache reverse proxy. The latest Apache does not support MS RPC
over http which is posted on the internet.

What do you mean when you say that the latest Apache does not support MS
RPC OVER HTTP, whereas your version supports it ?? That's not make sense ?

If I can do Client -> Apache reverse proxy -> IIS RPC -> exchange 2007,
I'll install it as soon as possible !

Thx

Clem


Le 24/05/2012 21:52, Ruiyuan Jiang a écrit :

> By the way, NTLM works with windows 7 client through Apache here.
>
>
> Hi, Clem
>
> I am reading your post
>
> http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html
>
> In the post, someone stated that NTLM auth does not support:
>
> It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client ->  squid (hop1) IIS6 rpx proxy (hop2) ->  exchange 2007
>
> That is not true. Here we have the setup:
>
> Client ->  Apache (hop1) ->  IIS 7 ->  exchange 2007
>
> It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
>
> I am not sure why squid does not support NTLM auth to the backend exchange server.
>
> Ruiyuan
>
>
>
>
>
> This message (including any attachments) is intended
> solely for the specific individual(s) or entity(ies) named
> above, and may contain legally privileged and
> confidential information. If you are not the intended
> recipient, please notify the sender immediately by
> replying to this message and then delete it.
> Any disclosure, copying, or distribution of this message,
> or the taking of any action based on it, by other than the
> intended recipient, is strictly prohibited.
>
>
Reply | Threaded
Open this post in threaded view
|

RE: Need help to configure MS Exchange RPC over HTTP

Ruiyuan Jiang
Hi, Clem

In the Apache link that I provided, it stated that below Apache v2.0.58 supports RPC over HTTP. Any version of Apache above that version does not support RPC. Two reasons:

1. it is not a standard.
2. patents by Microsoft if Apache uses it.

Ruiyuan Jiang


-----Original Message-----
From: Clem [mailto:[hidden email]]
Sent: Friday, May 25, 2012 2:19 AM
To: Ruiyuan Jiang
Cc: [hidden email]
Subject: Re: [squid-users] Need help to configure MS Exchange RPC over HTTP

Hi Ruiyuan,

 >Client -> Apache (hop1) -> IIS 7 -> exchange 2007 It works the setup
and just I could not have the latest Apache. Otherwise I will continue
to use Apache reverse proxy. The latest Apache does not support MS RPC
over http which is posted on the internet.

What do you mean when you say that the latest Apache does not support MS
RPC OVER HTTP, whereas your version supports it ?? That's not make sense ?

If I can do Client -> Apache reverse proxy -> IIS RPC -> exchange 2007,
I'll install it as soon as possible !

Thx

Clem


Le 24/05/2012 21:52, Ruiyuan Jiang a écrit :

> By the way, NTLM works with windows 7 client through Apache here.
>
>
> Hi, Clem
>
> I am reading your post
>
> http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html
>
> In the post, someone stated that NTLM auth does not support:
>
> It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client ->  squid (hop1) IIS6 rpx proxy (hop2) ->  exchange 2007
>
> That is not true. Here we have the setup:
>
> Client ->  Apache (hop1) ->  IIS 7 ->  exchange 2007
>
> It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
>
> I am not sure why squid does not support NTLM auth to the backend exchange server.
>
> Ruiyuan
>
>
>
>
>
> This message (including any attachments) is intended
> solely for the specific individual(s) or entity(ies) named
> above, and may contain legally privileged and
> confidential information. If you are not the intended
> recipient, please notify the sender immediately by
> replying to this message and then delete it.
> Any disclosure, copying, or distribution of this message,
> or the taking of any action based on it, by other than the
> intended recipient, is strictly prohibited.
>
>



This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

Reply | Threaded
Open this post in threaded view
|

Re: Need help to configure MS Exchange RPC over HTTP

Amos Jeffries
Administrator
In reply to this post by Ruiyuan Jiang
On 25/05/2012 7:50 a.m., Ruiyuan Jiang wrote:

> Hi, Clem
>
> I am reading your post
>
> http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html
>
> In the post, someone stated that NTLM auth does not support:
>
> It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client ->  squid (hop1) IIS6 rpx proxy (hop2) ->  exchange 2007
>
> That is not true. Here we have the setup:
>
> Client ->  Apache (hop1) ->  IIS 7 ->  exchange 2007
>
> It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
>
> I am not sure why squid does not support NTLM auth to the backend exchange server.

Squid does supports relaying any type of www-auth headers to the backend
over multiple hops. What Squid does not support is logging *itself* into
a peer proxy with NTLM (using proxy-auth headers).

There are also various minor but annoying bugs in NTLM pinning support
and persistent connections handling in some Squid releases, with those
basically the newer the Squid release the better but its still not 100%
clean.

  I am noting a LOT of complaints in the areas of Squid->IIS and
sharepoint, and a few other MS products this year. But nobody has yet
been able to supply a patch for anything (I dont have MS products or
time to work on this stuff myself). There is a hint that it is related
to Squid-3.1 persistent connection keep-alive to the server, if that
helps anyone.

Amos
Reply | Threaded
Open this post in threaded view
|

Re: Need help to configure MS Exchange RPC over HTTP

Amos Jeffries
Administrator
In reply to this post by Ruiyuan Jiang
On 26/05/2012 1:34 a.m., Ruiyuan Jiang wrote:
> Hi, Clem
>
> In the Apache link that I provided, it stated that below Apache v2.0.58 supports RPC over HTTP. Any version of Apache above that version does not support RPC. Two reasons:
>
> 1. it is not a standard.
> 2. patents by Microsoft if Apache uses it.

Patents?

RPC over HTTP is required to fit within HTTP standard operational
behaviour. If it were breaking protocol requirements, that would explain
why Squid, which does obey HTTP standards was "breaking" as an
RPC-over-HTTP relay.

FYI: The body content of the HTTP messages is the RPC protocol under
patent, possibly the method names themselves. Neither Squid nor Apache
when proxying have any reason to touch those details and thus are not
affected by any such patents (unless they are made to do so).

Amos

>
> Ruiyuan Jiang
>
>
> -----Original Message-----
> From: Clem [mailto:[hidden email]]
> Sent: Friday, May 25, 2012 2:19 AM
> To: Ruiyuan Jiang
> Cc: [hidden email]
> Subject: Re: [squid-users] Need help to configure MS Exchange RPC over HTTP
>
> Hi Ruiyuan,
>
>   >Client ->  Apache (hop1) ->  IIS 7 ->  exchange 2007 It works the setup
> and just I could not have the latest Apache. Otherwise I will continue
> to use Apache reverse proxy. The latest Apache does not support MS RPC
> over http which is posted on the internet.
>
> What do you mean when you say that the latest Apache does not support MS
> RPC OVER HTTP, whereas your version supports it ?? That's not make sense ?
>
> If I can do Client ->  Apache reverse proxy ->  IIS RPC ->  exchange 2007,
> I'll install it as soon as possible !
>
> Thx
>
> Clem
>
>
> Le 24/05/2012 21:52, Ruiyuan Jiang a écrit :
>> By the way, NTLM works with windows 7 client through Apache here.
>>
>>
>> Hi, Clem
>>
>> I am reading your post
>>
>> http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html
>>
>> In the post, someone stated that NTLM auth does not support:
>>
>> It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client ->   squid (hop1) IIS6 rpx proxy (hop2) ->   exchange 2007
>>
>> That is not true. Here we have the setup:
>>
>> Client ->   Apache (hop1) ->   IIS 7 ->   exchange 2007
>>
>> It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.
>>
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
>>
>> I am not sure why squid does not support NTLM auth to the backend exchange server.
>>
>> Ruiyuan
>>
>>
>>
>>
>>
>> This message (including any attachments) is intended
>> solely for the specific individual(s) or entity(ies) named
>> above, and may contain legally privileged and
>> confidential information. If you are not the intended
>> recipient, please notify the sender immediately by
>> replying to this message and then delete it.
>> Any disclosure, copying, or distribution of this message,
>> or the taking of any action based on it, by other than the
>> intended recipient, is strictly prohibited.
>>
>>
>
>
> This message (including any attachments) is intended
> solely for the specific individual(s) or entity(ies) named
> above, and may contain legally privileged and
> confidential information. If you are not the intended
> recipient, please notify the sender immediately by
> replying to this message and then delete it.
> Any disclosure, copying, or distribution of this message,
> or the taking of any action based on it, by other than the
> intended recipient, is strictly prohibited.
>

Reply | Threaded
Open this post in threaded view
|

RE: Need help to configure MS Exchange RPC over HTTP

Ruiyuan Jiang
In reply to this post by Amos Jeffries
Thanks for the response Amos. Do you think is it worth to test it squid v3.2.x on my Solaris box for NTLM auth? I don't have any problem to test it out.

Ruiyuan


-----Original Message-----
From: Amos Jeffries [mailto:[hidden email]]
Sent: Sunday, May 27, 2012 6:10 AM
To: [hidden email]
Subject: Re: [squid-users] Need help to configure MS Exchange RPC over HTTP

On 25/05/2012 7:50 a.m., Ruiyuan Jiang wrote:

> Hi, Clem
>
> I am reading your post
>
> http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html
>
> In the post, someone stated that NTLM auth does not support:
>
> It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client ->  squid (hop1) IIS6 rpx proxy (hop2) ->  exchange 2007
>
> That is not true. Here we have the setup:
>
> Client ->  Apache (hop1) ->  IIS 7 ->  exchange 2007
>
> It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
>
> I am not sure why squid does not support NTLM auth to the backend exchange server.

Squid does supports relaying any type of www-auth headers to the backend
over multiple hops. What Squid does not support is logging *itself* into
a peer proxy with NTLM (using proxy-auth headers).

There are also various minor but annoying bugs in NTLM pinning support
and persistent connections handling in some Squid releases, with those
basically the newer the Squid release the better but its still not 100%
clean.

  I am noting a LOT of complaints in the areas of Squid->IIS and
sharepoint, and a few other MS products this year. But nobody has yet
been able to supply a patch for anything (I dont have MS products or
time to work on this stuff myself). There is a hint that it is related
to Squid-3.1 persistent connection keep-alive to the server, if that
helps anyone.

Amos



This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

Reply | Threaded
Open this post in threaded view
|

RE: Need help to configure MS Exchange RPC over HTTP

Amos Jeffries
Administrator
On 30.05.2012 03:11, Ruiyuan Jiang wrote:
> Thanks for the response Amos. Do you think is it worth to test it
> squid v3.2.x on my Solaris box for NTLM auth? I don't have any
> problem
> to test it out.
>

I think it is worth it. 3.2 is HTTP/1.1 and avoids all the HTTP/1.0
issues which may still crop up with 3.1.

Amos

Reply | Threaded
Open this post in threaded view
|

RE: Need help to configure MS Exchange RPC over HTTP

Ruiyuan Jiang
Hi, Amos

I tried squid v3.2.0.17 on a Redhat enterprise server v6.2, x86_64 and it did not work for NTLM authentication. I just kept getting user name and password prompt when I access the site after I put in the user name and password. In the squid log, it shows below two entries repetitively:

TCP_MISS/401 1672 GET https://webmail.site.com/ - FIRSTUP_PARENT/10.10.10.10 text/html
TCP_MISS/401 293 POST https://webmail.site.com/ews/Exchange.asmx - FIRSTUP_PARENT/10.10.10.10 -

I used the option "--enable-ntlm-fail-open" when I compiled squid 3.2.0.17.

Ruiyuan

-----Original Message-----
From: Amos Jeffries [mailto:[hidden email]]
Sent: Tuesday, May 29, 2012 8:06 PM
To: [hidden email]
Subject: RE: [squid-users] Need help to configure MS Exchange RPC over HTTP

On 30.05.2012 03:11, Ruiyuan Jiang wrote:
> Thanks for the response Amos. Do you think is it worth to test it
> squid v3.2.x on my Solaris box for NTLM auth? I don't have any
> problem
> to test it out.
>

I think it is worth it. 3.2 is HTTP/1.1 and avoids all the HTTP/1.0
issues which may still crop up with 3.1.

Amos




This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.