RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Hi Guido,

I’ve installed last released of 3.1.19 (squid-3.1.19-20120325-r10444), and
I’ve the same error when connecting with windows7, server is unaivalable,
the difference is I don’t have badrequest and Connection_Dropped
DefaultAppPool in IIS6 httperr log.

The only thing I can see in the logs is TCP MISS 200, in squid and IIS.

With XP clients, that works …

Here is my squid.conf :

----------------------------------------->

visible_hostname external_mail_url
ignore_expect_100 on
request_header_access Accept-Encoding deny all
debug_options ALL,1
https_port ip_of_squid:443 accel cert=/usr/local/squid/etc/certifs/cert.pem
cafile=/usr/local/squid/etc/certifs/ca_cert.pem \
defaultsite= external_mail_url
cache_peer  ip_of_exchange parent 443 0 no-query proxy-only name=owaserver
originserver \
ssl sslflags=DONT_VERIFY_PEER login=DOMAIN\Administrateur:adminpassword \
sslcert=/usr/local/squid/etc/certifs/cert.pem
sslcafile=/usr/local/squid/etc/certifs/ca_cert.pem
acl 0.0.0.0 src all
acl owa dstdomain external_mail_url
cache_peer_access owaserver allow owa
never_direct allow owa
http_access allow owa
http_access deny all
miss_access allow owa
miss_access deny all

----------------------------------------->

On exchange, outlook anywhere (rpcproxy) is on basic and ntlm for IIS auth,
for client auth, only ntlm. With XP, squid auth in basic then client auth in
ntlm, and that works. In windows7, after a long time I’ve got this issue :
server is unaivalable.

I don’t know what’s happening, I think perhaps it’s a http1.1 or 1.2 issue.

Thanks,

Clem

-------- Message original --------
Sujet:
R: R: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
exchange2007 with ntlm
Date :
Sun, 25 Mar 2012 17:28:25 +0000
De :
Guido Serassio <[hidden email]>
Pour :
Clem <[hidden email]>

Hi,

Don't forget to apply the changes listed in this discussion:
http://www.squid-cache.org/mail-archive/squid-dev/201101/0124.html

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135               Fax. : +39.011.9781115
Email: [hidden email]
WWW: http://www.acmeconsulting.it


> -----Messaggio originale-----
> Da: Clem [mailto:[hidden email]]
> Inviato: domenica 25 marzo 2012 15.33
> A: Guido Serassio
> Oggetto: Re: R: TR: TR: [squid-users] https analyze, squid rpc proxy to
> rpc proxy ii6 exchange2007 with ntlm
>
> Hi Guido !
>
> Thank you very much for your answer ! I'me using 3.2.0.16, I'll test
> with 3.1.19 then !
>
> Have a good day
>
> Clem
>
> Le 25/03/2012 14:19, Guido Serassio a écrit :
> > Hi Clem,
> >
> > I hav already verified that Windows Vista and 7 talks differently to
> Exchange.
> > The patched 3.1.19 build fixed my problem, and also Mac EWS clients
> seems to almost work.
> > I'm waiting for 3.2 STABLE before run new tests on it.
> >
> > Regards
> >
> > Guido Serassio
> > Acme Consulting S.r.l.
> > Microsoft Silver Certified Partner
> > VMware Professional Partner
> > Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> > Tel. : +39.011.9530135               Fax. : +39.011.9781115
> > Email: [hidden email]
> > WWW: http://www.acmeconsulting.it
> >
> >
> >> -----Messaggio originale-----
> >> Da: Clem [mailto:[hidden email]]
> >> Inviato: venerdì 23 marzo 2012 15.48
> >> A: [hidden email]
> >> Oggetto: RE: TR: TR: [squid-users] https analyze, squid rpc proxy to
> rpc
> >> proxy ii6 exchange2007 with ntlm
> >>
> >> Back with my windows7 test, and failed ... I dunno exactly why, but It
> >> times
> >> out with a "server is is unavailable".
> >>
> >> In my IIS httperr log I have :
> >>
> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1 BadRequest
> >> DefaultAppPool
> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1
> >> Connection_Dropped DefaultAppPool
> >>
> >> Ok with XP, not with windows7 and vista I guess
> >>
> >> Can you help me with this ?
> >> Thx
> >>
> >> Clem
> >>
> >> -----Message d'origine-----
> >> De : Clem [mailto:[hidden email]]
> >> Envoyé : jeudi 22 mars 2012 21:40
> >> À : [hidden email]
> >> Objet : Re: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc
> >> proxy ii6 exchange2007 with ntlm
> >>
> >> For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a test
> >> client
> >> on XP, I'll test a client on windows7.
> >>
> >> No config for blackberry devices, they don't use activesync but the
> >> connection to blackberry server directly connected to our exchange.
> >>
> >>
> >>
> >> Le 22/03/2012 15:50, Clem a écrit :
> >>> I've tested activesync with this tool
> >>> https://store.accessmylan.com/main/diagnostic-tools , all is OK ! I
> will
> >> be
> >>> able to put my front-end squid proxy for exchange 2007 in production
> >> soon
> >> !
> >>>
> >>> -----Message d'origine-----
> >>> De : Clem [mailto:[hidden email]]
> >>> Envoyé : jeudi 22 mars 2012 14:40
> >>> À : 'Clem'; '[hidden email]'
> >>> Cc : 'Amos Jeffries'; '[hidden email]'
> >>> Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to rpc
> >> proxy
> >>> ii6 exchange2007 with ntlm
> >>>
> >>> Forgot the powershell command :
> >>>
> >>> get-outlookanywhere | set-outlookanywhere -IISauthentication
> basic,Ntlm
> >>>
> >>> Infos there :
> >>>
> >> http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-
> >> anywhere-
> >>> ntlm-authentication-for-domain-based-and-workgroup-based-computers/
> >>>
> >>> -----Message d'origine-----
> >>> De : Clem [mailto:[hidden email]]
> >>> Envoyé : jeudi 22 mars 2012 14:32
> >>> À : [hidden email]
> >>> Cc : Amos Jeffries; [hidden email] Objet : RE: TR:
> >>> [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> >> exchange2007
> >>> with ntlm
> >>>
> >>> Hello all
> >>>
> >>> I'm glad to inform you that's I have found a workaround solution for
> >> outlook
> >>> anywhere client via NTLM.
> >>> I really didn't want to change any config of my clients outlook, who
> are
> >>> actually configured on NTLM auth via Outlook RPC Proxy settings.
> >>>
> >>> Outlook Anywhere is configured in NTLM.
> >>>
> >>> Recently I have found that the main problem with squid was the double
> >> hop
> >>> NTLM.
> >>>
> >>> So I though a different way :  NTLM Clients credentials ->   SQUID ->
> >> Basic
> >>> Squid Auth ->   IIS RPC PROXY ->   NTLM client Credentials carried by
> >> squid
> >> ->
> >>> Outlook Anywhere
> >>>
> >>> And that works !! The trick is to enable both "Integrated Windows
> >>> Authentication" (NTLM) AND "Basic authentication" on the Rpc virtual
> >>> directory of IIS (6 for my own).
> >>> On Squid you have to use login:DOMAIN\user:password to send a
> credential
> >>> that can auth (I have used Admin one). Dunno if it's secure to use AD
> >> admin
> >>> user/pass directly in squid.conf ?
> >>> Anyway that works so I'll continue to test now with that config.
> >>>
> >>> Now I've to test activesync with Iphone, and after with my Blackberry
> >> Server
> >>> Express.
> >>>
> >>> I can paste you some of my configurations if you need
> >>>
> >>> Regards
> >>>
> >>> Clem
> >>>
> >>>
> >>>
> >>> -----Message d'origine-----
> >>> De : Guido Serassio [mailto:[hidden email]]
> >>> Envoyé : dimanche 18 mars 2012 12:36
> >>> À : [hidden email]
> >>> Cc : Amos Jeffries; [hidden email] Objet : R: TR:
> >> [squid-users]
> >>> https analyze, squid rpc proxy to rpc proxy ii6
> >>> exchange2007 with ntlm
> >>>
> >>> Hi Clem,
> >>>
> >>> Currently it seems that a fully working reverse Proxy Open Source
> >> solution
> >>> for Exchange 2007 and 2010 is not available.
> >>>
> >>> Squid is really near to be fully functional, but there are still some
> >>> problems.
> >>> Look my comments in this bug:
> >>> http://bugs.squid-cache.org/show_bug.cgi?id=3141
> >>>
> >>> Currently I'm running a patched Squid 3.1.19 with http 1.1 support
> >> enabled
> >>> in front of a Exchange 2010 Server.
> >>> RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry
> >>> clients is still problematic.
> >>>
> >>> I have tried also to use 3.2, but things seems to be worse: RPC
> doesn't
> >> work
> >>> at all.
> >>>
> >>> Regards
> >>>
> >>> Guido Serassio
> >>> Acme Consulting S.r.l.
> >>> Microsoft Silver Certified Partner
> >>> VMware Professional Partner
> >>> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> >>> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> >>> Email: [hidden email]
> >>> WWW: http://www.acmeconsulting.it
> >>>
> >>>
> >>>> -----Messaggio originale-----
> >>>> Da: Amos Jeffries [mailto:[hidden email]]
> >>>> Inviato: venerdì 16 marzo 2012 11.54
> >>>> A: [hidden email]
> >>>> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc
> >>>> proxy
> >>>> ii6 exchange2007 with ntlm
> >>>>
> >>>> On 14/03/2012 11:32 p.m., Clem wrote:
> >>>>> Hello,
> >>>>>
> >>>>> Ok so I know exactly why squid can't forward ntlm credentials and
> >>>>> stop
> >>>> at
> >>>>> type1. It's facing the double hop issue, ntlm credentials can be
> >>>>> sent
> >>>> only
> >>>>> on one hop, and is lost with 2 hops like : client ->    squid (hop1)
> >>>>> ->
> >>>> IIS6
> >>>>> rpx proxy (hop2) ->    exchange 2007
> >>>>>
> >>>>> That's why when I connect directly to my iis6 rpc proxy that works
> >>>>> and
> >>>> when
> >>>>> I connect through squid that request login/pass again and again. And
> >>>>> we
> >>>> can
> >>>>> clearly see that on https analyzes.
> >>>>>
> >>>>> ISA server has a workaround about this double hop issue as I have
> >>>>> wrote
> >>>> in
> >>>>> my last mail, I don't know if squid can act like this.
> >>>>>
> >>>>> I'm searching atm how to set iis6 perhaps to resolve this problem,
> >>>>> but I don't want to "break" my exchange so I've to do my tests very
> >>>>> carefully
> >>>> Cheers. I've added a mention of this to the NTLM issiues wiki page
> now
> >>>> for others to find along with the archive of these messages.
> >>>>
> >>>> Amos
> >


Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Amos Jeffries
Administrator
On 27.03.2012 01:31, Clem wrote:

> Hi Guido,
>
> I’ve installed last released of 3.1.19
> (squid-3.1.19-20120325-r10444), and
> I’ve the same error when connecting with windows7, server is
> unaivalable,
> the difference is I don’t have badrequest and Connection_Dropped
> DefaultAppPool in IIS6 httperr log.
>
> The only thing I can see in the logs is TCP MISS 200, in squid and
> IIS.
>
> With XP clients, that works …
>
> Here is my squid.conf :
>
> ----------------------------------------->
>
> visible_hostname external_mail_url
> ignore_expect_100 on
> request_header_access Accept-Encoding deny all
> debug_options ALL,1
> https_port ip_of_squid:443 accel
> cert=/usr/local/squid/etc/certifs/cert.pem
> cafile=/usr/local/squid/etc/certifs/ca_cert.pem \
> defaultsite= external_mail_url
> cache_peer  ip_of_exchange parent 443 0 no-query proxy-only
> name=owaserver
> originserver \
> ssl sslflags=DONT_VERIFY_PEER
> login=DOMAIN\Administrateur:adminpassword \

Is this actually "Administrateur"? or typo of the US-centric
"Administrator"?

Also, originserver is a bit magic. login= + originserver will erase
*www-auth* headers as well and place Basic auth credentials in the
www-auth (origin server auth) header.



> sslcert=/usr/local/squid/etc/certifs/cert.pem
> sslcafile=/usr/local/squid/etc/certifs/ca_cert.pem
> acl 0.0.0.0 src all

This is a confusing definition for the ACL *name* "0.0.0.0".

  IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address)

  ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0


> acl owa dstdomain external_mail_url
> cache_peer_access owaserver allow owa
> never_direct allow owa
> http_access allow owa
> http_access deny all
> miss_access allow owa
> miss_access deny all
>
> ----------------------------------------->
>
> On exchange, outlook anywhere (rpcproxy) is on basic and ntlm for IIS
> auth,
> for client auth, only ntlm. With XP, squid auth in basic then client
> auth in
> ntlm, and that works. In windows7, after a long time I’ve got this
> issue :
> server is unaivalable.
>
> I don’t know what’s happening, I think perhaps it’s a http1.1 or 1.2
> issue.
>
> Thanks,
>
> Clem
>
> -------- Message original --------
> Sujet:
> R: R: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc
> proxy ii6
> exchange2007 with ntlm
> Date :
> Sun, 25 Mar 2012 17:28:25 +0000
> De :
> Guido Serassio <[hidden email]>
> Pour :
> Clem <[hidden email]>
>
> Hi,
>
> Don't forget to apply the changes listed in this discussion:
> http://www.squid-cache.org/mail-archive/squid-dev/201101/0124.html
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Silver Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> Email: [hidden email]
> WWW: http://www.acmeconsulting.it
>
>
>> -----Messaggio originale-----
>> Da: Clem [mailto:[hidden email]]
>> Inviato: domenica 25 marzo 2012 15.33
>> A: Guido Serassio
>> Oggetto: Re: R: TR: TR: [squid-users] https analyze, squid rpc proxy
>> to
>> rpc proxy ii6 exchange2007 with ntlm
>>
>> Hi Guido !
>>
>> Thank you very much for your answer ! I'me using 3.2.0.16, I'll test
>> with 3.1.19 then !
>>
>> Have a good day
>>
>> Clem
>>
>> Le 25/03/2012 14:19, Guido Serassio a écrit :
>> > Hi Clem,
>> >
>> > I hav already verified that Windows Vista and 7 talks differently
>> to
>> Exchange.
>> > The patched 3.1.19 build fixed my problem, and also Mac EWS
>> clients
>> seems to almost work.
>> > I'm waiting for 3.2 STABLE before run new tests on it.
>> >
>> > Regards
>> >
>> > Guido Serassio
>> > Acme Consulting S.r.l.
>> > Microsoft Silver Certified Partner
>> > VMware Professional Partner
>> > Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
>> > Tel. : +39.011.9530135               Fax. : +39.011.9781115
>> > Email: [hidden email]
>> > WWW: http://www.acmeconsulting.it
>> >
>> >
>> >> -----Messaggio originale-----
>> >> Da: Clem [mailto:[hidden email]]
>> >> Inviato: venerdì 23 marzo 2012 15.48
>> >> A: [hidden email]
>> >> Oggetto: RE: TR: TR: [squid-users] https analyze, squid rpc proxy
>> to
>> rpc
>> >> proxy ii6 exchange2007 with ntlm
>> >>
>> >> Back with my windows7 test, and failed ... I dunno exactly why,
>> but It
>> >> times
>> >> out with a "server is is unavailable".
>> >>
>> >> In my IIS httperr log I have :
>> >>
>> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1
>> BadRequest
>> >> DefaultAppPool
>> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1
>> >> Connection_Dropped DefaultAppPool
>> >>
>> >> Ok with XP, not with windows7 and vista I guess
>> >>
>> >> Can you help me with this ?
>> >> Thx
>> >>
>> >> Clem
>> >>
>> >> -----Message d'origine-----
>> >> De : Clem [mailto:[hidden email]]
>> >> Envoyé : jeudi 22 mars 2012 21:40
>> >> À : [hidden email]
>> >> Objet : Re: TR: TR: [squid-users] https analyze, squid rpc proxy
>> to rpc
>> >> proxy ii6 exchange2007 with ntlm
>> >>
>> >> For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a
>> test
>> >> client
>> >> on XP, I'll test a client on windows7.
>> >>
>> >> No config for blackberry devices, they don't use activesync but
>> the
>> >> connection to blackberry server directly connected to our
>> exchange.
>> >>
>> >>
>> >>
>> >> Le 22/03/2012 15:50, Clem a écrit :
>> >>> I've tested activesync with this tool
>> >>> https://store.accessmylan.com/main/diagnostic-tools , all is OK
>> ! I
>> will
>> >> be
>> >>> able to put my front-end squid proxy for exchange 2007 in
>> production
>> >> soon
>> >> !
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Clem [mailto:[hidden email]]
>> >>> Envoyé : jeudi 22 mars 2012 14:40
>> >>> À : 'Clem'; '[hidden email]'
>> >>> Cc : 'Amos Jeffries'; '[hidden email]'
>> >>> Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to
>> rpc
>> >> proxy
>> >>> ii6 exchange2007 with ntlm
>> >>>
>> >>> Forgot the powershell command :
>> >>>
>> >>> get-outlookanywhere | set-outlookanywhere -IISauthentication
>> basic,Ntlm
>> >>>
>> >>> Infos there :
>> >>>
>> >>
>> http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-
>> >> anywhere-
>> >>>
>> ntlm-authentication-for-domain-based-and-workgroup-based-computers/
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Clem [mailto:[hidden email]]
>> >>> Envoyé : jeudi 22 mars 2012 14:32
>> >>> À : [hidden email]
>> >>> Cc : Amos Jeffries; [hidden email] Objet : RE: TR:
>> >>> [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
>> >> exchange2007
>> >>> with ntlm
>> >>>
>> >>> Hello all
>> >>>
>> >>> I'm glad to inform you that's I have found a workaround solution
>> for
>> >> outlook
>> >>> anywhere client via NTLM.
>> >>> I really didn't want to change any config of my clients outlook,
>> who
>> are
>> >>> actually configured on NTLM auth via Outlook RPC Proxy settings.
>> >>>
>> >>> Outlook Anywhere is configured in NTLM.
>> >>>
>> >>> Recently I have found that the main problem with squid was the
>> double
>> >> hop
>> >>> NTLM.
>> >>>
>> >>> So I though a different way :  NTLM Clients credentials ->  
>> SQUID ->
>> >> Basic
>> >>> Squid Auth ->   IIS RPC PROXY ->   NTLM client Credentials
>> carried by
>> >> squid
>> >> ->
>> >>> Outlook Anywhere
>> >>>
>> >>> And that works !! The trick is to enable both "Integrated
>> Windows
>> >>> Authentication" (NTLM) AND "Basic authentication" on the Rpc
>> virtual
>> >>> directory of IIS (6 for my own).
>> >>> On Squid you have to use login:DOMAIN\user:password to send a
>> credential
>> >>> that can auth (I have used Admin one). Dunno if it's secure to
>> use AD
>> >> admin
>> >>> user/pass directly in squid.conf ?
>> >>> Anyway that works so I'll continue to test now with that config.
>> >>>
>> >>> Now I've to test activesync with Iphone, and after with my
>> Blackberry
>> >> Server
>> >>> Express.
>> >>>
>> >>> I can paste you some of my configurations if you need
>> >>>
>> >>> Regards
>> >>>
>> >>> Clem
>> >>>
>> >>>
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Guido Serassio [mailto:[hidden email]]
>> >>> Envoyé : dimanche 18 mars 2012 12:36
>> >>> À : [hidden email]
>> >>> Cc : Amos Jeffries; [hidden email] Objet : R: TR:
>> >> [squid-users]
>> >>> https analyze, squid rpc proxy to rpc proxy ii6
>> >>> exchange2007 with ntlm
>> >>>
>> >>> Hi Clem,
>> >>>
>> >>> Currently it seems that a fully working reverse Proxy Open
>> Source
>> >> solution
>> >>> for Exchange 2007 and 2010 is not available.
>> >>>
>> >>> Squid is really near to be fully functional, but there are still
>> some
>> >>> problems.
>> >>> Look my comments in this bug:
>> >>> http://bugs.squid-cache.org/show_bug.cgi?id=3141
>> >>>
>> >>> Currently I'm running a patched Squid 3.1.19 with http 1.1
>> support
>> >> enabled
>> >>> in front of a Exchange 2010 Server.
>> >>> RPC over HTTPS seems to work fine, while EWS from Apple and
>> BlackBerry
>> >>> clients is still problematic.
>> >>>
>> >>> I have tried also to use 3.2, but things seems to be worse: RPC
>> doesn't
>> >> work
>> >>> at all.
>> >>>
>> >>> Regards
>> >>>
>> >>> Guido Serassio
>> >>> Acme Consulting S.r.l.
>> >>> Microsoft Silver Certified Partner
>> >>> VMware Professional Partner
>> >>> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
>> >>> Tel. : +39.011.9530135               Fax. : +39.011.9781115
>> >>> Email: [hidden email]
>> >>> WWW: http://www.acmeconsulting.it
>> >>>
>> >>>
>> >>>> -----Messaggio originale-----
>> >>>> Da: Amos Jeffries [mailto:[hidden email]]
>> >>>> Inviato: venerdì 16 marzo 2012 11.54
>> >>>> A: [hidden email]
>> >>>> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy
>> to rpc
>> >>>> proxy
>> >>>> ii6 exchange2007 with ntlm
>> >>>>
>> >>>> On 14/03/2012 11:32 p.m., Clem wrote:
>> >>>>> Hello,
>> >>>>>
>> >>>>> Ok so I know exactly why squid can't forward ntlm credentials
>> and
>> >>>>> stop
>> >>>> at
>> >>>>> type1. It's facing the double hop issue, ntlm credentials can
>> be
>> >>>>> sent
>> >>>> only
>> >>>>> on one hop, and is lost with 2 hops like : client ->    squid
>> (hop1)
>> >>>>> ->
>> >>>> IIS6
>> >>>>> rpx proxy (hop2) ->    exchange 2007
>> >>>>>
>> >>>>> That's why when I connect directly to my iis6 rpc proxy that
>> works
>> >>>>> and
>> >>>> when
>> >>>>> I connect through squid that request login/pass again and
>> again. And
>> >>>>> we
>> >>>> can
>> >>>>> clearly see that on https analyzes.
>> >>>>>
>> >>>>> ISA server has a workaround about this double hop issue as I
>> have
>> >>>>> wrote
>> >>>> in
>> >>>>> my last mail, I don't know if squid can act like this.
>> >>>>>
>> >>>>> I'm searching atm how to set iis6 perhaps to resolve this
>> problem,
>> >>>>> but I don't want to "break" my exchange so I've to do my tests
>> very
>> >>>>> carefully
>> >>>> Cheers. I've added a mention of this to the NTLM issiues wiki
>> page
>> now
>> >>>> for others to find along with the archive of these messages.
>> >>>>
>> >>>> Amos
>> >

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Hi Amos,

Administrateur is the french AD name for Administrator :)

-> Also, originserver is a bit magic. login= + originserver will erase
*www-auth* headers as well and place Basic auth credentials in the www-auth (origin server auth) header.

I'm ok with that, cause I want squid to auth in basic at first !

-> This is a confusing definition for the ACL *name* "0.0.0.0".

  IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address)

  ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0

Thanks for the info, I've modified my cfg.

But I still have the issue with Windows7, TCP miss 200 on logs, and "server is unavailable" with outlook, whereas with XP that works.

Regards

Clem


-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]]
Envoyé : mardi 27 mars 2012 04:02
À : [hidden email]
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 27.03.2012 01:31, Clem wrote:

> Hi Guido,
>
> I’ve installed last released of 3.1.19 (squid-3.1.19-20120325-r10444),
> and I’ve the same error when connecting with windows7, server is
> unaivalable, the difference is I don’t have badrequest and
> Connection_Dropped DefaultAppPool in IIS6 httperr log.
>
> The only thing I can see in the logs is TCP MISS 200, in squid and
> IIS.
>
> With XP clients, that works …
>
> Here is my squid.conf :
>
> ----------------------------------------->
>
> visible_hostname external_mail_url
> ignore_expect_100 on
> request_header_access Accept-Encoding deny all debug_options ALL,1
> https_port ip_of_squid:443 accel
> cert=/usr/local/squid/etc/certifs/cert.pem
> cafile=/usr/local/squid/etc/certifs/ca_cert.pem \ defaultsite=
> external_mail_url cache_peer  ip_of_exchange parent 443 0 no-query
> proxy-only name=owaserver originserver \ ssl sslflags=DONT_VERIFY_PEER
> login=DOMAIN\Administrateur:adminpassword \

Is this actually "Administrateur"? or typo of the US-centric "Administrator"?

Also, originserver is a bit magic. login= + originserver will erase
*www-auth* headers as well and place Basic auth credentials in the www-auth (origin server auth) header.



> sslcert=/usr/local/squid/etc/certifs/cert.pem
> sslcafile=/usr/local/squid/etc/certifs/ca_cert.pem
> acl 0.0.0.0 src all

This is a confusing definition for the ACL *name* "0.0.0.0".

  IPv4 0.0.0.0 is 0.0.0.0/32 (single IP address)

  ACL magic "all" token defines IPv4 0.0.0.0/0 plus IPv6 ::/0


> acl owa dstdomain external_mail_url
> cache_peer_access owaserver allow owa
> never_direct allow owa
> http_access allow owa
> http_access deny all
> miss_access allow owa
> miss_access deny all
>
> ----------------------------------------->
>
> On exchange, outlook anywhere (rpcproxy) is on basic and ntlm for IIS
> auth, for client auth, only ntlm. With XP, squid auth in basic then
> client auth in ntlm, and that works. In windows7, after a long time
> I’ve got this issue :
> server is unaivalable.
>
> I don’t know what’s happening, I think perhaps it’s a http1.1 or 1.2
> issue.
>
> Thanks,
>
> Clem
>
> -------- Message original --------
> Sujet:
> R: R: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc
> proxy ii6
> exchange2007 with ntlm
> Date :
> Sun, 25 Mar 2012 17:28:25 +0000
> De :
> Guido Serassio <[hidden email]>
> Pour :
> Clem <[hidden email]>
>
> Hi,
>
> Don't forget to apply the changes listed in this discussion:
> http://www.squid-cache.org/mail-archive/squid-dev/201101/0124.html
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Silver Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY Tel.
> : +39.011.9530135               Fax. : +39.011.9781115
> Email: [hidden email]
> WWW: http://www.acmeconsulting.it
>
>
>> -----Messaggio originale-----
>> Da: Clem [mailto:[hidden email]]
>> Inviato: domenica 25 marzo 2012 15.33
>> A: Guido Serassio
>> Oggetto: Re: R: TR: TR: [squid-users] https analyze, squid rpc proxy
>> to rpc proxy ii6 exchange2007 with ntlm
>>
>> Hi Guido !
>>
>> Thank you very much for your answer ! I'me using 3.2.0.16, I'll test
>> with 3.1.19 then !
>>
>> Have a good day
>>
>> Clem
>>
>> Le 25/03/2012 14:19, Guido Serassio a écrit :
>> > Hi Clem,
>> >
>> > I hav already verified that Windows Vista and 7 talks differently
>> to
>> Exchange.
>> > The patched 3.1.19 build fixed my problem, and also Mac EWS
>> clients
>> seems to almost work.
>> > I'm waiting for 3.2 STABLE before run new tests on it.
>> >
>> > Regards
>> >
>> > Guido Serassio
>> > Acme Consulting S.r.l.
>> > Microsoft Silver Certified Partner
>> > VMware Professional Partner
>> > Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
>> > Tel. : +39.011.9530135               Fax. : +39.011.9781115
>> > Email: [hidden email]
>> > WWW: http://www.acmeconsulting.it
>> >
>> >
>> >> -----Messaggio originale-----
>> >> Da: Clem [mailto:[hidden email]]
>> >> Inviato: venerdì 23 marzo 2012 15.48
>> >> A: [hidden email]
>> >> Oggetto: RE: TR: TR: [squid-users] https analyze, squid rpc proxy
>> to
>> rpc
>> >> proxy ii6 exchange2007 with ntlm
>> >>
>> >> Back with my windows7 test, and failed ... I dunno exactly why,
>> but It
>> >> times
>> >> out with a "server is is unavailable".
>> >>
>> >> In my IIS httperr log I have :
>> >>
>> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1
>> BadRequest
>> >> DefaultAppPool
>> >> HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1
>> >> Connection_Dropped DefaultAppPool
>> >>
>> >> Ok with XP, not with windows7 and vista I guess
>> >>
>> >> Can you help me with this ?
>> >> Thx
>> >>
>> >> Clem
>> >>
>> >> -----Message d'origine-----
>> >> De : Clem [mailto:[hidden email]] Envoyé : jeudi 22 mars 2012
>> >> 21:40 À : [hidden email] Objet : Re: TR: TR:
>> >> [squid-users] https analyze, squid rpc proxy
>> to rpc
>> >> proxy ii6 exchange2007 with ntlm
>> >>
>> >> For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a
>> test
>> >> client
>> >> on XP, I'll test a client on windows7.
>> >>
>> >> No config for blackberry devices, they don't use activesync but
>> the
>> >> connection to blackberry server directly connected to our
>> exchange.
>> >>
>> >>
>> >>
>> >> Le 22/03/2012 15:50, Clem a écrit :
>> >>> I've tested activesync with this tool
>> >>> https://store.accessmylan.com/main/diagnostic-tools , all is OK
>> ! I
>> will
>> >> be
>> >>> able to put my front-end squid proxy for exchange 2007 in
>> production
>> >> soon
>> >> !
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Clem [mailto:[hidden email]] Envoyé : jeudi 22 mars 2012
>> >>> 14:40 À : 'Clem'; '[hidden email]'
>> >>> Cc : 'Amos Jeffries'; '[hidden email]'
>> >>> Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to
>> rpc
>> >> proxy
>> >>> ii6 exchange2007 with ntlm
>> >>>
>> >>> Forgot the powershell command :
>> >>>
>> >>> get-outlookanywhere | set-outlookanywhere -IISauthentication
>> basic,Ntlm
>> >>>
>> >>> Infos there :
>> >>>
>> >>
>> http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook-
>> >> anywhere-
>> >>>
>> ntlm-authentication-for-domain-based-and-workgroup-based-computers/
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Clem [mailto:[hidden email]] Envoyé : jeudi 22 mars 2012
>> >>> 14:32 À : [hidden email] Cc : Amos Jeffries;
>> >>> [hidden email] Objet : RE: TR:
>> >>> [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
>> >> exchange2007
>> >>> with ntlm
>> >>>
>> >>> Hello all
>> >>>
>> >>> I'm glad to inform you that's I have found a workaround solution
>> for
>> >> outlook
>> >>> anywhere client via NTLM.
>> >>> I really didn't want to change any config of my clients outlook,
>> who
>> are
>> >>> actually configured on NTLM auth via Outlook RPC Proxy settings.
>> >>>
>> >>> Outlook Anywhere is configured in NTLM.
>> >>>
>> >>> Recently I have found that the main problem with squid was the
>> double
>> >> hop
>> >>> NTLM.
>> >>>
>> >>> So I though a different way :  NTLM Clients credentials ->
>> SQUID ->
>> >> Basic
>> >>> Squid Auth ->   IIS RPC PROXY ->   NTLM client Credentials
>> carried by
>> >> squid
>> >> ->
>> >>> Outlook Anywhere
>> >>>
>> >>> And that works !! The trick is to enable both "Integrated
>> Windows
>> >>> Authentication" (NTLM) AND "Basic authentication" on the Rpc
>> virtual
>> >>> directory of IIS (6 for my own).
>> >>> On Squid you have to use login:DOMAIN\user:password to send a
>> credential
>> >>> that can auth (I have used Admin one). Dunno if it's secure to
>> use AD
>> >> admin
>> >>> user/pass directly in squid.conf ?
>> >>> Anyway that works so I'll continue to test now with that config.
>> >>>
>> >>> Now I've to test activesync with Iphone, and after with my
>> Blackberry
>> >> Server
>> >>> Express.
>> >>>
>> >>> I can paste you some of my configurations if you need
>> >>>
>> >>> Regards
>> >>>
>> >>> Clem
>> >>>
>> >>>
>> >>>
>> >>> -----Message d'origine-----
>> >>> De : Guido Serassio [mailto:[hidden email]]
>> >>> Envoyé : dimanche 18 mars 2012 12:36 À : [hidden email] Cc :
>> >>> Amos Jeffries; [hidden email] Objet : R: TR:
>> >> [squid-users]
>> >>> https analyze, squid rpc proxy to rpc proxy ii6
>> >>> exchange2007 with ntlm
>> >>>
>> >>> Hi Clem,
>> >>>
>> >>> Currently it seems that a fully working reverse Proxy Open
>> Source
>> >> solution
>> >>> for Exchange 2007 and 2010 is not available.
>> >>>
>> >>> Squid is really near to be fully functional, but there are still
>> some
>> >>> problems.
>> >>> Look my comments in this bug:
>> >>> http://bugs.squid-cache.org/show_bug.cgi?id=3141
>> >>>
>> >>> Currently I'm running a patched Squid 3.1.19 with http 1.1
>> support
>> >> enabled
>> >>> in front of a Exchange 2010 Server.
>> >>> RPC over HTTPS seems to work fine, while EWS from Apple and
>> BlackBerry
>> >>> clients is still problematic.
>> >>>
>> >>> I have tried also to use 3.2, but things seems to be worse: RPC
>> doesn't
>> >> work
>> >>> at all.
>> >>>
>> >>> Regards
>> >>>
>> >>> Guido Serassio
>> >>> Acme Consulting S.r.l.
>> >>> Microsoft Silver Certified Partner VMware Professional Partner
>> >>> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
>> >>> Tel. : +39.011.9530135               Fax. : +39.011.9781115
>> >>> Email: [hidden email]
>> >>> WWW: http://www.acmeconsulting.it
>> >>>
>> >>>
>> >>>> -----Messaggio originale-----
>> >>>> Da: Amos Jeffries [mailto:[hidden email]]
>> >>>> Inviato: venerdì 16 marzo 2012 11.54
>> >>>> A: [hidden email]
>> >>>> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy
>> to rpc
>> >>>> proxy
>> >>>> ii6 exchange2007 with ntlm
>> >>>>
>> >>>> On 14/03/2012 11:32 p.m., Clem wrote:
>> >>>>> Hello,
>> >>>>>
>> >>>>> Ok so I know exactly why squid can't forward ntlm credentials
>> and
>> >>>>> stop
>> >>>> at
>> >>>>> type1. It's facing the double hop issue, ntlm credentials can
>> be
>> >>>>> sent
>> >>>> only
>> >>>>> on one hop, and is lost with 2 hops like : client ->    squid
>> (hop1)
>> >>>>> ->
>> >>>> IIS6
>> >>>>> rpx proxy (hop2) ->    exchange 2007
>> >>>>>
>> >>>>> That's why when I connect directly to my iis6 rpc proxy that
>> works
>> >>>>> and
>> >>>> when
>> >>>>> I connect through squid that request login/pass again and
>> again. And
>> >>>>> we
>> >>>> can
>> >>>>> clearly see that on https analyzes.
>> >>>>>
>> >>>>> ISA server has a workaround about this double hop issue as I
>> have
>> >>>>> wrote
>> >>>> in
>> >>>>> my last mail, I don't know if squid can act like this.
>> >>>>>
>> >>>>> I'm searching atm how to set iis6 perhaps to resolve this
>> problem,
>> >>>>> but I don't want to "break" my exchange so I've to do my tests
>> very
>> >>>>> carefully
>> >>>> Cheers. I've added a mention of this to the NTLM issiues wiki
>> page
>> now
>> >>>> for others to find along with the archive of these messages.
>> >>>>
>> >>>> Amos
>> >

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Amos Jeffries
Administrator
On 27.03.2012 21:31, Clem wrote:
> Hi Amos,
>
> Administrateur is the french AD name for Administrator :)
>

Yes. I'm just wondering if it is correct for what your IIS is checking
against.

Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Re,

I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
Msstd : externalfqdn

When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
In windows XP, checked or not, that works.

By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...

The point is, why ? Maybe windows7 is more paranoid with certificate ??

Have you an idea ?

Regards

Clem

-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]]
Envoyé : mardi 27 mars 2012 23:27
À : [hidden email]
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 27.03.2012 21:31, Clem wrote:
> Hi Amos,
>
> Administrateur is the french AD name for Administrator :)
>

Yes. I'm just wondering if it is correct for what your IIS is checking against.

Amos

Reply | Threaded
Open this post in threaded view
|

Re: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Amos Jeffries
Administrator
On 3/04/2012 1:33 a.m., Clem wrote:

> Re,
>
> I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
> Msstd : externalfqdn
>
> When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
> In windows XP, checked or not, that works.
>
> By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...
>
> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>
> Have you an idea ?

Strange. Smells like a bug in Windows7 or a domain policy being pushed out.

Does the FRONT_END_HTTPS cache_peer setting make any change to that
flags behaviour?

Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?

Whether I write this option in cache_peer or not, no change ...

-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]]
Envoyé : lundi 2 avril 2012 16:00
À : [hidden email]
Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 3/04/2012 1:33 a.m., Clem wrote:

> Re,
>
> I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
> Msstd : externalfqdn
>
> When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
> In windows XP, checked or not, that works.
>
> By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...
>
> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>
> Have you an idea ?

Strange. Smells like a bug in Windows7 or a domain policy being pushed out.

Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?

Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Hi,

My report with windows7 -> squid -> outlook anywhere with NTLM

I have to modify Windows7 local policies for lanmanager to -> LM and NTLM only, by default windows7 sends NTLMv2 only, and squid is handled only LM, when I chose NTLM only, that doesn't work either.

Plus that, I have to disable the "connect only to server proxy certificate that use this principal (common) name : msstd : externalfqdn" in HTTP PROXY of Outlook (2007/2010).

With this two settings I can connect to my exchange via squid, but it's not very easy ... My goal is to not modify parameters on my laptop external clients...

When this options aren't modified, the issue is clearly the same, two TPC_MISS 200 messages and nothing, and "server is unavailable". Even in http1.0 or http1.1, I've tested with 2.7 (http11 option), 3.1.19 (http 1.0) and 3.2.0.16 (http1.1)

How can squid can send ntlmv2 sequences ? How squid can fake a "msstd: CN" message ?

Squid can work with XP in native, but with window7 it's not very clearly simple ://

Regards

Clem

-----Message d'origine-----
De : Clem [mailto:[hidden email]]
Envoyé : lundi 2 avril 2012 16:20
À : [hidden email]
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?

Whether I write this option in cache_peer or not, no change ...

-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]] Envoyé : lundi 2 avril 2012 16:00 À : [hidden email] Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 3/04/2012 1:33 a.m., Clem wrote:

> Re,
>
> I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
> Msstd : externalfqdn
>
> When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
> In windows XP, checked or not, that works.
>
> By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...
>
> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>
> Have you an idea ?

Strange. Smells like a bug in Windows7 or a domain policy being pushed out.

Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?

Amos

Reply | Threaded
Open this post in threaded view
|

Re: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Amos Jeffries
Administrator
On 3/04/2012 11:34 p.m., Clem wrote:
> Hi,
>
> My report with windows7 ->  squid ->  outlook anywhere with NTLM
>
> I have to modify Windows7 local policies for lanmanager to ->  LM and NTLM only, by default windows7 sends NTLMv2 only, and squid is handled only LM, when I chose NTLM only, that doesn't work either.

What do you mean by "squid is handled only LM" ??

Windows7 by default should be using Kerberos. It can downgrade to NTLMv2
if necessary for compatibility with old systems, but no further unless
configured to use weaker security encodings.

>
> Plus that, I have to disable the "connect only to server proxy certificate that use this principal (common) name : msstd : externalfqdn" in HTTP PROXY of Outlook (2007/2010).

Their choice of word "principal" instead of "domain" or "authority" in
that settign makes me think that is a Kerberos principal key, rather
than a certificate authority or NTLM domain scope.
  Bad naming on MS part? or something more complex than just NTLM going on?

>
> With this two settings I can connect to my exchange via squid, but it's not very easy ... My goal is to not modify parameters on my laptop external clients...
>
> When this options aren't modified, the issue is clearly the same, two TPC_MISS 200 messages and nothing, and "server is unavailable". Even in http1.0 or http1.1, I've tested with 2.7 (http11 option), 3.1.19 (http 1.0) and 3.2.0.16 (http1.1)
>
> How can squid can send ntlmv2 sequences ? How squid can fake a "msstd: CN" message ?
>
> Squid can work with XP in native, but with window7 it's not very clearly simple ://
>
> Regards
>
> Clem
>
> -----Message d'origine-----
> De : Clem [mailto:[hidden email]]
> Envoyé : lundi 2 avril 2012 16:20
> À : [hidden email]
> Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
>
> Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?
>
> Whether I write this option in cache_peer or not, no change ...
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:[hidden email]] Envoyé : lundi 2 avril 2012 16:00 À : [hidden email] Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
>
> On 3/04/2012 1:33 a.m., Clem wrote:
>> Re,
>>
>> I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
>> Msstd : externalfqdn
>>
>> When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
>> In windows XP, checked or not, that works.
>>
>> By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...
>>
>> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>>
>> Have you an idea ?
> Strange. Smells like a bug in Windows7 or a domain policy being pushed out.
>
> Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?
>
> Amos
>

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m


-----Message d'origine-----
De : Clem [mailto:[hidden email]]
Envoyé : mardi 3 avril 2012 16:54
À : 'Amos Jeffries'
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Hi Amos,

>What do you mean by "squid is handled only LM" ??

>Windows7 by default should be using Kerberos. It can downgrade to NTLMv2 if necessary for compatibility with old systems, but no further unless configured to use weaker security encodings.

The fact is, when I enable "use only NTLM" outlook doesn’t connect, two tcp_miss 200 and nothing, same with "use only NTLMv2", when I enable "use LM and NTLM", that works. So I assumed that only LM via squid is working.
Without squid, all ntlm versions work !

In XP, no changes in the config, same config in outlook for http proxy, and that works, but in XP by default, we have lm and ntlm in security policies.

> Their choice of word "principal" instead of "domain" or "authority" in
that settign makes me think that is a Kerberos principal key, rather than a certificate authority or NTLM domain scope.
  Bad naming on MS part? or something more complex than just NTLM going on?

Microsoft says that the principal name = the common name of the certificate, the "issued to" name.


-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]] Envoyé : mardi 3 avril 2012 16:05 À : [hidden email] Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 3/04/2012 11:34 p.m., Clem wrote:
> Hi,
>
> My report with windows7 ->  squid ->  outlook anywhere with NTLM
>
> I have to modify Windows7 local policies for lanmanager to ->  LM and NTLM only, by default windows7 sends NTLMv2 only, and squid is handled only LM, when I chose NTLM only, that doesn't work either.

What do you mean by "squid is handled only LM" ??

Windows7 by default should be using Kerberos. It can downgrade to NTLMv2 if necessary for compatibility with old systems, but no further unless configured to use weaker security encodings.

>
> Plus that, I have to disable the "connect only to server proxy certificate that use this principal (common) name : msstd : externalfqdn" in HTTP PROXY of Outlook (2007/2010).

Their choice of word "principal" instead of "domain" or "authority" in that settign makes me think that is a Kerberos principal key, rather than a certificate authority or NTLM domain scope.
  Bad naming on MS part? or something more complex than just NTLM going on?

>
> With this two settings I can connect to my exchange via squid, but it's not very easy ... My goal is to not modify parameters on my laptop external clients...
>
> When this options aren't modified, the issue is clearly the same, two TPC_MISS 200 messages and nothing, and "server is unavailable". Even in http1.0 or http1.1, I've tested with 2.7 (http11 option), 3.1.19 (http 1.0) and 3.2.0.16 (http1.1)
>
> How can squid can send ntlmv2 sequences ? How squid can fake a "msstd: CN" message ?
>
> Squid can work with XP in native, but with window7 it's not very clearly simple ://
>
> Regards
>
> Clem
>
> -----Message d'origine-----
> De : Clem [mailto:[hidden email]]
> Envoyé : lundi 2 avril 2012 16:20
> À : [hidden email]
> Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
>
> Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?
>
> Whether I write this option in cache_peer or not, no change ...
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:[hidden email]] Envoyé : lundi 2 avril 2012 16:00 À : [hidden email] Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
>
> On 3/04/2012 1:33 a.m., Clem wrote:
>> Re,
>>
>> I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
>> Msstd : externalfqdn
>>
>> When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
>> In windows XP, checked or not, that works.
>>
>> By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...
>>
>> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>>
>> Have you an idea ?
> Strange. Smells like a bug in Windows7 or a domain policy being pushed out.
>
> Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?
>
> Amos
>

Reply | Threaded
Open this post in threaded view
|

R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Guido Serassio
In reply to this post by cl00m
Hi Clem,

Try reading this: http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135               Fax. : +39.011.9781115
Email: [hidden email]
WWW: http://www.acmeconsulting.it


> -----Messaggio originale-----
> Da: Clem [mailto:[hidden email]]
> Inviato: lunedì 2 aprile 2012 15.34
> A: [hidden email]
> Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> exchange2007 with ntlm
>
> Re,
>
> I've found the option that generate issue only with windows7, in outlook
> proxy http settings window, we have this checked automatically : connect
> only to server proxy certificate that use this principal (common) name :
> Msstd : externalfqdn
>
> When I uncheck this option, my outlook (2007/2010) can connect trough
> squid with ntlm in my Exchange via outlook anywhere, If it's checked I've
> got a : server is unavailable.
> In windows XP, checked or not, that works.
>
> By the way, after connection to exchange succeed in w7, that option
> rechecks itself automatically ...
>
> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>
> Have you an idea ?
>
> Regards
>
> Clem
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:[hidden email]]
> Envoyé : mardi 27 mars 2012 23:27
> À : [hidden email]
> Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> exchange2007 with ntlm
>
> On 27.03.2012 21:31, Clem wrote:
> > Hi Amos,
> >
> > Administrateur is the french AD name for Administrator :)
> >
>
> Yes. I'm just wondering if it is correct for what your IIS is checking
> against.
>
> Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Hi Guido,

Thanks for this link but I've already read it, and already set that
parameter (EXPR), and no change, I've made more tests yesterday :

..:::: WinXP -> squid -> exchange 2007

With lan manager parameters (secpol.msc) AND with msstd option checked in
outlook http proxy parameters :

. LM et NTLM only : working
. NTLM only : working
. NTLMv2 only : working

..:::: Windows7 -> squid -> exchange 2007

With lan manager parameters (secpol.msc) AND with msstd option checked in
outlook http proxy parameters :

. LM et NTLM only : NOT working
. NTLM only : NOT working
. NTLMv2 only : NOT working

With lan manager parameters (secpol.msc) AND with msstd option NOT checked
in outlook http proxy parameters :

. LM et NTLM only : working
. NTLM only : NOT working
. NTLMv2 only : NOT working

Without squid, so outlook connected directly to exchange via outlook
anywhere, that works with any parameters, for XP and 7.

I'm so confused ... Why with XP that works with any parameters and Windows7
only with 2 parameters on ?
What is the thing that do the difference between these two OS ?

Regards,

Clem


-----Message d'origine-----
De : Guido Serassio [mailto:[hidden email]]
Envoyé : mercredi 4 avril 2012 19:32
À : Clem; [hidden email]
Objet : R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
exchange2007 with ntlm

Hi Clem,

Try reading this:
http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135               Fax. : +39.011.9781115
Email: [hidden email]
WWW: http://www.acmeconsulting.it


> -----Messaggio originale-----
> Da: Clem [mailto:[hidden email]]
> Inviato: lunedì 2 aprile 2012 15.34
> A: [hidden email]
> Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy
> ii6
> exchange2007 with ntlm
>
> Re,
>
> I've found the option that generate issue only with windows7, in
> outlook proxy http settings window, we have this checked automatically
> : connect only to server proxy certificate that use this principal
(common) name :

> Msstd : externalfqdn
>
> When I uncheck this option, my outlook (2007/2010) can connect trough
> squid with ntlm in my Exchange via outlook anywhere, If it's checked
> I've got a : server is unavailable.
> In windows XP, checked or not, that works.
>
> By the way, after connection to exchange succeed in w7, that option
> rechecks itself automatically ...
>
> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>
> Have you an idea ?
>
> Regards
>
> Clem
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:[hidden email]] Envoyé : mardi 27
> mars 2012 23:27 À : [hidden email] Objet : RE:
> [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> exchange2007 with ntlm
>
> On 27.03.2012 21:31, Clem wrote:
> > Hi Amos,
> >
> > Administrateur is the french AD name for Administrator :)
> >
>
> Yes. I'm just wondering if it is correct for what your IIS is checking
> against.
>
> Amos

Reply | Threaded
Open this post in threaded view
|

R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Guido Serassio
Hi Clem,

As I know there is something different in the WinHttp API used by Outlook, but I cannot be able to find any detail about ...

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135               Fax. : +39.011.9781115
Email: [hidden email]
WWW: http://www.acmeconsulting.it


> -----Messaggio originale-----
> Da: Clem [mailto:[hidden email]]
> Inviato: giovedì 5 aprile 2012 9.30
> A: Guido Serassio; [hidden email]
> Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> exchange2007 with ntlm
>
> Hi Guido,
>
> Thanks for this link but I've already read it, and already set that
> parameter (EXPR), and no change, I've made more tests yesterday :
>
> ..:::: WinXP -> squid -> exchange 2007
>
> With lan manager parameters (secpol.msc) AND with msstd option checked in
> outlook http proxy parameters :
>
> . LM et NTLM only : working
> . NTLM only : working
> . NTLMv2 only : working
>
> ..:::: Windows7 -> squid -> exchange 2007
>
> With lan manager parameters (secpol.msc) AND with msstd option checked in
> outlook http proxy parameters :
>
> . LM et NTLM only : NOT working
> . NTLM only : NOT working
> . NTLMv2 only : NOT working
>
> With lan manager parameters (secpol.msc) AND with msstd option NOT checked
> in outlook http proxy parameters :
>
> . LM et NTLM only : working
> . NTLM only : NOT working
> . NTLMv2 only : NOT working
>
> Without squid, so outlook connected directly to exchange via outlook
> anywhere, that works with any parameters, for XP and 7.
>
> I'm so confused ... Why with XP that works with any parameters and
> Windows7
> only with 2 parameters on ?
> What is the thing that do the difference between these two OS ?
>
> Regards,
>
> Clem
>
>
> -----Message d'origine-----
> De : Guido Serassio [mailto:[hidden email]]
> Envoyé : mercredi 4 avril 2012 19:32
> À : Clem; [hidden email]
> Objet : R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> exchange2007 with ntlm
>
> Hi Clem,
>
> Try reading this:
> http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Silver Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> Email: [hidden email]
> WWW: http://www.acmeconsulting.it
>
>
> > -----Messaggio originale-----
> > Da: Clem [mailto:[hidden email]]
> > Inviato: lunedì 2 aprile 2012 15.34
> > A: [hidden email]
> > Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy
> > ii6
> > exchange2007 with ntlm
> >
> > Re,
> >
> > I've found the option that generate issue only with windows7, in
> > outlook proxy http settings window, we have this checked automatically
> > : connect only to server proxy certificate that use this principal
> (common) name :
> > Msstd : externalfqdn
> >
> > When I uncheck this option, my outlook (2007/2010) can connect trough
> > squid with ntlm in my Exchange via outlook anywhere, If it's checked
> > I've got a : server is unavailable.
> > In windows XP, checked or not, that works.
> >
> > By the way, after connection to exchange succeed in w7, that option
> > rechecks itself automatically ...
> >
> > The point is, why ? Maybe windows7 is more paranoid with certificate ??
> >
> > Have you an idea ?
> >
> > Regards
> >
> > Clem
> >
> > -----Message d'origine-----
> > De : Amos Jeffries [mailto:[hidden email]] Envoyé : mardi 27
> > mars 2012 23:27 À : [hidden email] Objet : RE:
> > [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> > exchange2007 with ntlm
> >
> > On 27.03.2012 21:31, Clem wrote:
> > > Hi Amos,
> > >
> > > Administrateur is the french AD name for Administrator :)
> > >
> >
> > Yes. I'm just wondering if it is correct for what your IIS is checking
> > against.
> >
> > Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Hello,

In my cache.log I have (windows7 client) :

--------------------------
2012/05/11 13:37:42.493| HTTP Client local=ip_squid:443
remote=ip_wan_client:60465 FD 11 flags=1
2012/05/11 13:37:42.493| HTTP Client REQUEST:
---------
RPC_OUT_DATA /rpc/rpcproxy.dll?fqdn_exchange_server:6002 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: SessionId=d3deb408-a810-4e85-b3df-1e50e0fe11f7
Accept: application/rpc
Cookie: OutlookSession="{B14448C4-3BB4-454E-A09F-CA4705810688}
Outlook=14.0.6117.5001 OS=6.1.7601"
User-Agent: MSRPC
Content-Length: 0
Host: mail.xx.fr
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
--------------------------

The difference between xp client is Pragma header, no-cache value for xp,
and Cookie header doesn’t exist in xp.

So I want to "disable" Cookie header and replace value for pragma, in my
squid.conf I've added this lines :

request_header_access Cookie deny all
request_header_replace Pragma no-cache

But that doesn't work, header cookie is still there, and pragma isn’t
changed.

I've configured squid with --enable-http-violations

How I can do that ?

Thx

Clem

-----Message d'origine-----
De : Guido Serassio [mailto:[hidden email]]
Envoyé : vendredi 6 avril 2012 16:20
À : Clem; [hidden email]
Objet : R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
exchange2007 with ntlm

Hi Clem,

As I know there is something different in the WinHttp API used by Outlook,
but I cannot be able to find any detail about ...

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135               Fax. : +39.011.9781115
Email: [hidden email]
WWW: http://www.acmeconsulting.it


> -----Messaggio originale-----
> Da: Clem [mailto:[hidden email]]
> Inviato: giovedì 5 aprile 2012 9.30
> A: Guido Serassio; [hidden email]
> Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy
> ii6
> exchange2007 with ntlm
>
> Hi Guido,
>
> Thanks for this link but I've already read it, and already set that
> parameter (EXPR), and no change, I've made more tests yesterday :
>
> ..:::: WinXP -> squid -> exchange 2007
>
> With lan manager parameters (secpol.msc) AND with msstd option checked
> in outlook http proxy parameters :
>
> . LM et NTLM only : working
> . NTLM only : working
> . NTLMv2 only : working
>
> ..:::: Windows7 -> squid -> exchange 2007
>
> With lan manager parameters (secpol.msc) AND with msstd option checked
> in outlook http proxy parameters :
>
> . LM et NTLM only : NOT working
> . NTLM only : NOT working
> . NTLMv2 only : NOT working
>
> With lan manager parameters (secpol.msc) AND with msstd option NOT
> checked in outlook http proxy parameters :
>
> . LM et NTLM only : working
> . NTLM only : NOT working
> . NTLMv2 only : NOT working
>
> Without squid, so outlook connected directly to exchange via outlook
> anywhere, that works with any parameters, for XP and 7.
>
> I'm so confused ... Why with XP that works with any parameters and
> Windows7
> only with 2 parameters on ?
> What is the thing that do the difference between these two OS ?
>
> Regards,
>
> Clem
>
>
> -----Message d'origine-----
> De : Guido Serassio [mailto:[hidden email]]
> Envoyé : mercredi 4 avril 2012 19:32
> À : Clem; [hidden email]
> Objet : R: [squid-users] https analyze, squid rpc proxy to rpc proxy
> ii6
> exchange2007 with ntlm
>
> Hi Clem,
>
> Try reading this:
> http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Silver Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> Email: [hidden email]
> WWW: http://www.acmeconsulting.it
>
>
> > -----Messaggio originale-----
> > Da: Clem [mailto:[hidden email]]
> > Inviato: lunedì 2 aprile 2012 15.34
> > A: [hidden email]
> > Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc
> > proxy
> > ii6
> > exchange2007 with ntlm
> >
> > Re,
> >
> > I've found the option that generate issue only with windows7, in
> > outlook proxy http settings window, we have this checked
> > automatically
> > : connect only to server proxy certificate that use this principal
> (common) name :
> > Msstd : externalfqdn
> >
> > When I uncheck this option, my outlook (2007/2010) can connect
> > trough squid with ntlm in my Exchange via outlook anywhere, If it's
> > checked I've got a : server is unavailable.
> > In windows XP, checked or not, that works.
> >
> > By the way, after connection to exchange succeed in w7, that option
> > rechecks itself automatically ...
> >
> > The point is, why ? Maybe windows7 is more paranoid with certificate ??
> >
> > Have you an idea ?
> >
> > Regards
> >
> > Clem
> >
> > -----Message d'origine-----
> > De : Amos Jeffries [mailto:[hidden email]] Envoyé : mardi 27
> > mars 2012 23:27 À : [hidden email] Objet : RE:
> > [squid-users] https analyze, squid rpc proxy to rpc proxy ii6
> > exchange2007 with ntlm
> >
> > On 27.03.2012 21:31, Clem wrote:
> > > Hi Amos,
> > >
> > > Administrateur is the french AD name for Administrator :)
> > >
> >
> > Yes. I'm just wondering if it is correct for what your IIS is
> > checking against.
> >
> > Amos

Reply | Threaded
Open this post in threaded view
|

Re: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Amos Jeffries
Administrator
On 12/05/2012 1:50 a.m., Clem wrote:

> Hello,
>
> In my cache.log I have (windows7 client) :
>
> --------------------------
> 2012/05/11 13:37:42.493| HTTP Client local=ip_squid:443
> remote=ip_wan_client:60465 FD 11 flags=1
> 2012/05/11 13:37:42.493| HTTP Client REQUEST:
> ---------
> RPC_OUT_DATA /rpc/rpcproxy.dll?fqdn_exchange_server:6002 HTTP/1.1
> Cache-Control: no-cache
> Connection: Keep-Alive
> Pragma: SessionId=d3deb408-a810-4e85-b3df-1e50e0fe11f7
> Accept: application/rpc
> Cookie: OutlookSession="{B14448C4-3BB4-454E-A09F-CA4705810688}
> Outlook=14.0.6117.5001 OS=6.1.7601"
> User-Agent: MSRPC
> Content-Length: 0
> Host: mail.xx.fr
> Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> --------------------------
>
> The difference between xp client is Pragma header, no-cache value for xp,
> and Cookie header doesn’t exist in xp.

You mean no-cache as well as SessionId values? or just no-cache and no
SessionId?

>
> So I want to "disable" Cookie header and replace value for pragma, in my
> squid.conf I've added this lines :
>
> request_header_access Cookie deny all
> request_header_replace Pragma no-cache

"Pragma: no-cache" has been obsoleted by "Cache-Control:no-cache". They
do the same thing.

Also, request_header_replace requires a previous "request_header_access
deny ..." giving permission to remove existng header details before it
can replace the content.

>
> But that doesn't work, header cookie is still there, and pragma isn’t
> changed.

Make sure you are looking at the right things. "HTTP Client REQUEST " is
the raw data received from the client. No changes made by Squid will
show up in those details (except some minor auto-corrections by the
parser). The "HTTP Server REQUEST" details later on with same URL are
the Squid->Server information after all Squid manipulations.

The response headers are in a pair of "HTTP foo REPLY".

Amos
Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Hi Amos,

Thx for your answer.

I'm still searching why my solution works with XP and only when I change 2 settings (lanmanager level, and disable msstd) on Windows7.
So I use a cache.log with debug options to analyze more precisely, to see the difference between these two OS.

When that doesn’t work on windows7, the request is "stuck" on RPC_OUT_DATA with a 200 success HTTP, sort of time out, and no infos, I've sniffed all I can, and nothing ...

The only thing I can see in logs is the cookie header and the pragma "sessionid" on windows7. In XP there is no cookie header and pragma is "no-cache" only, no other values.

> Also, request_header_replace requires a previous "request_header_access deny ..." giving permission to remove existng header details before it can replace the content.

Thx for this info, I'll test it today.
If I write :
request_header_access Cookie deny all
request_header_replace Cookie none

Does this disable cookie header ?

Thx, regards

Clem


-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]]
Envoyé : vendredi 11 mai 2012 16:28
À : [hidden email]
Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 12/05/2012 1:50 a.m., Clem wrote:

> Hello,
>
> In my cache.log I have (windows7 client) :
>
> --------------------------
> 2012/05/11 13:37:42.493| HTTP Client local=ip_squid:443
> remote=ip_wan_client:60465 FD 11 flags=1
> 2012/05/11 13:37:42.493| HTTP Client REQUEST:
> ---------
> RPC_OUT_DATA /rpc/rpcproxy.dll?fqdn_exchange_server:6002 HTTP/1.1
> Cache-Control: no-cache
> Connection: Keep-Alive
> Pragma: SessionId=d3deb408-a810-4e85-b3df-1e50e0fe11f7
> Accept: application/rpc
> Cookie: OutlookSession="{B14448C4-3BB4-454E-A09F-CA4705810688}
> Outlook=14.0.6117.5001 OS=6.1.7601"
> User-Agent: MSRPC
> Content-Length: 0
> Host: mail.xx.fr
> Authorization: NTLM
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> --------------------------
>
> The difference between xp client is Pragma header, no-cache value for
> xp, and Cookie header doesn’t exist in xp.

You mean no-cache as well as SessionId values? or just no-cache and no SessionId?

>
> So I want to "disable" Cookie header and replace value for pragma, in
> my squid.conf I've added this lines :
>
> request_header_access Cookie deny all
> request_header_replace Pragma no-cache

"Pragma: no-cache" has been obsoleted by "Cache-Control:no-cache". They do the same thing.

Also, request_header_replace requires a previous "request_header_access deny ..." giving permission to remove existng header details before it can replace the content.

>
> But that doesn't work, header cookie is still there, and pragma isn’t
> changed.

Make sure you are looking at the right things. "HTTP Client REQUEST " is
the raw data received from the client. No changes made by Squid will
show up in those details (except some minor auto-corrections by the
parser). The "HTTP Server REQUEST" details later on with same URL are
the Squid->Server information after all Squid manipulations.

The response headers are in a pair of "HTTP foo REPLY".

Amos

Reply | Threaded
Open this post in threaded view
|

Re: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Amos Jeffries
Administrator
In reply to this post by Amos Jeffries
On 14/05/2012 7:42 p.m., Clem wrote:

> Hi Amos,
>
> Thx for your answer.
>
> I'm still searching why my solution works with XP and only when I change 2 settings (lanmanager level, and disable msstd) on Windows7.
> So I use a cache.log with debug options to analyze more precisely, to see the difference between these two OS.
>
> When that doesn’t work on windows7, the request is "stuck" on RPC_OUT_DATA with a 200 success HTTP, sort of time out, and no infos, I've sniffed all I can, and nothing ...
>
> The only thing I can see in logs is the cookie header and the pragma "sessionid" on windows7. In XP there is no cookie header and pragma is "no-cache" only, no other values.

Hmm. Hanging usually means something somewhere is waiting expecting data
somewhere.

Could be an HTTP object sent with wrong body size. Or another side
channel somewhere expected to be working but not operating. Things like
unexpected side channels seem to happen a lot with MS software IME.

>> Also, request_header_replace requires a previous "request_header_access deny ..." giving permission to remove existng header details before it can replace the content.
> Thx for this info, I'll test it today.
> If I write :
> request_header_access Cookie deny all
> request_header_replace Cookie none
>
> Does this disable cookie header ?

It erases all existing Cookie values and creates the header "Cookie: none".

Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
In the log, the exactly same sequence, on w7 it hangs, on xp it continues :

....:::::::::::::::::: Win7

2012/05/14 10:14:15.090| ctx: enter level  0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/14 10:14:15.090| HTTP Server local=ip_squid:49014 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/14 10:14:15.090| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive


----------
2012/05/14 10:14:15.091| ctx: exit level  0
2012/05/14 10:14:15.091| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/14 10:14:15.091| HTTP Client local=ip_squid:443 remote=ip_wan_client:51556 FD 11 flags=1
2012/05/14 10:14:15.091| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive


----------
2012/05/14 10:14:15.092| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dff1c8
2012/05/14 10:14:15.092| ACLChecklist::~ACLChecklist: destroyed 0x8dff1c8

And it hangs there ...

....:::::::::::::::::: Win7


....:::::::::::::::::: WinXP

2012/05/11 13:22:33.452| ctx: enter level  0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/11 13:22:33.452| HTTP Server local=ip_squid:46111 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/11 13:22:33.452| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive


----------
2012/05/11 13:22:33.452| ctx: exit level  0
2012/05/11 13:22:33.452| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/11 13:22:33.452| HTTP Client local=ip_squid:443 remote=ip_wan_client:1162 FD 11 flags=1
2012/05/11 13:22:33.452| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive


----------
2012/05/11 13:22:33.454| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dccea8
2012/05/11 13:22:33.454| ACLChecklist::~ACLChecklist: destroyed 0x8dccea8
2012/05/11 13:22:33.512| HTTP Client local= ip_squid:443 remote=ip_wan_client:1160 FD 8 flags=1
2012/05/11 13:22:33.512| HTTP Client REQUEST:
---------
RPC_IN_DATA /rpc/rpcproxy.dll? fqdn_exchange_server:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: mail.x.fr
Content-Length: 1073741824
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

................ and that continues ...

....:::::::::::::::::: WinXP


And no more infos why It's hanging



Clem


-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]]
Envoyé : lundi 14 mai 2012 12:17
À : [hidden email]
Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 14/05/2012 7:42 p.m., Clem wrote:

> Hi Amos,
>
> Thx for your answer.
>
> I'm still searching why my solution works with XP and only when I change 2 settings (lanmanager level, and disable msstd) on Windows7.
> So I use a cache.log with debug options to analyze more precisely, to see the difference between these two OS.
>
> When that doesn’t work on windows7, the request is "stuck" on RPC_OUT_DATA with a 200 success HTTP, sort of time out, and no infos, I've sniffed all I can, and nothing ...
>
> The only thing I can see in logs is the cookie header and the pragma "sessionid" on windows7. In XP there is no cookie header and pragma is "no-cache" only, no other values.

Hmm. Hanging usually means something somewhere is waiting expecting data somewhere.

Could be an HTTP object sent with wrong body size. Or another side channel somewhere expected to be working but not operating. Things like unexpected side channels seem to happen a lot with MS software IME.

>> Also, request_header_replace requires a previous "request_header_access deny ..." giving permission to remove existng header details before it can replace the content.
> Thx for this info, I'll test it today.
> If I write :
> request_header_access Cookie deny all
> request_header_replace Cookie none
>
> Does this disable cookie header ?

It erases all existing Cookie values and creates the header "Cookie: none".

Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
Hello,

With the help of James, I'm now able to connect with my W7 clients to my exchange 2007 IIS6 RPC proxy through squid, same squid config as before (3.2.x), but newly 3.1.20 version with "tweak patch" from James Harper.

OWA, RPC PROXY (outlook anywhere) + Activesync are OK.

Before compiling squid, go to "src" directory, edit client_side_reply.cc, go to
--------------------->
 void
 clientReplyContext::cloneReply()
 {
     assert(reply == NULL);
 
     HttpReply *rep = http->storeEntry()->getReply()->clone();
 
     reply = HTTPMSGLOCK(rep);
 
     if (reply->sline.protocol == PROTO_HTTP) {
         /* enforce 1.0 reply version (but only on real HTTP traffic) */
     }
 
     /* do header conversions */
     buildReplyHeader();
 }
<-----------------------

 and remove or comment
----------------->
if (reply->sline.protocol == PROTO_HTTP) {
    /* enforce 1.0 reply version (but only on real HTTP traffic) */
}
<-----------------

Then I compiled squid with --enable-ssl, and use my squid.conf that worked for XP only, and tested on my W7 clients, and YES that works for them too !

Windowsxp sp3 + outlook 2007 -> works with login=DOMAIN\Adminuser:password in cache_peer but not with login=PASS
Windows7 SP2 + outlook 2010 -> works with login=DOMAIN\Adminuser:password in cache_peer AND with login=PASS

Dunno why in XP I can't use login=PASS, in my IIS6 logs I can see user windows credentials are properly sent but I think there something wrong happens with the reply, that doesn't happen with windows7.

Anyway that works, and I'll be able to test my squid frontend (+postfix to forward mails), and then in July on my new Exchange 2007 server with IIS7 (I'll tell you if that works too) !

Regards,

Clem


-----Message d'origine-----
De : Clem [mailto:[hidden email]]
Envoyé : lundi 14 mai 2012 13:33
À : 'Amos Jeffries'; [hidden email]
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

In the log, the exactly same sequence, on w7 it hangs, on xp it continues :

....:::::::::::::::::: Win7

2012/05/14 10:14:15.090| ctx: enter level  0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/14 10:14:15.090| HTTP Server local=ip_squid:49014 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/14 10:14:15.090| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive


----------
2012/05/14 10:14:15.091| ctx: exit level  0
2012/05/14 10:14:15.091| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/14 10:14:15.091| HTTP Client local=ip_squid:443 remote=ip_wan_client:51556 FD 11 flags=1
2012/05/14 10:14:15.091| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive


----------
2012/05/14 10:14:15.092| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dff1c8
2012/05/14 10:14:15.092| ACLChecklist::~ACLChecklist: destroyed 0x8dff1c8

And it hangs there ...

....:::::::::::::::::: Win7


....:::::::::::::::::: WinXP

2012/05/11 13:22:33.452| ctx: enter level  0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/11 13:22:33.452| HTTP Server local=ip_squid:46111 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/11 13:22:33.452| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive


----------
2012/05/11 13:22:33.452| ctx: exit level  0
2012/05/11 13:22:33.452| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/11 13:22:33.452| HTTP Client local=ip_squid:443 remote=ip_wan_client:1162 FD 11 flags=1
2012/05/11 13:22:33.452| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive


----------
2012/05/11 13:22:33.454| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dccea8
2012/05/11 13:22:33.454| ACLChecklist::~ACLChecklist: destroyed 0x8dccea8
2012/05/11 13:22:33.512| HTTP Client local= ip_squid:443 remote=ip_wan_client:1160 FD 8 flags=1
2012/05/11 13:22:33.512| HTTP Client REQUEST:
---------
RPC_IN_DATA /rpc/rpcproxy.dll? fqdn_exchange_server:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: mail.x.fr
Content-Length: 1073741824
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

................ and that continues ...

....:::::::::::::::::: WinXP


And no more infos why It's hanging



Clem


-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]] Envoyé : lundi 14 mai 2012 12:17 À : [hidden email] Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 14/05/2012 7:42 p.m., Clem wrote:

> Hi Amos,
>
> Thx for your answer.
>
> I'm still searching why my solution works with XP and only when I change 2 settings (lanmanager level, and disable msstd) on Windows7.
> So I use a cache.log with debug options to analyze more precisely, to see the difference between these two OS.
>
> When that doesn’t work on windows7, the request is "stuck" on RPC_OUT_DATA with a 200 success HTTP, sort of time out, and no infos, I've sniffed all I can, and nothing ...
>
> The only thing I can see in logs is the cookie header and the pragma "sessionid" on windows7. In XP there is no cookie header and pragma is "no-cache" only, no other values.

Hmm. Hanging usually means something somewhere is waiting expecting data somewhere.

Could be an HTTP object sent with wrong body size. Or another side channel somewhere expected to be working but not operating. Things like unexpected side channels seem to happen a lot with MS software IME.

>> Also, request_header_replace requires a previous "request_header_access deny ..." giving permission to remove existng header details before it can replace the content.
> Thx for this info, I'll test it today.
> If I write :
> request_header_access Cookie deny all
> request_header_replace Cookie none
>
> Does this disable cookie header ?

It erases all existing Cookie values and creates the header "Cookie: none".

Amos

Reply | Threaded
Open this post in threaded view
|

RE: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

cl00m
I made a mistake yesterday, in fact for windows7 (sp1) that works only with login=PASS in cache_peer ... and unfortunately, this doesn't work for XP clients now ...

I've noticed when I delete "originserver" option from cache_peer line (only with James "tweak"), I can connect with login:user:password and login=PASS on windows7, but not on XP, I've a 401 error.

I can't make this working for both xp and w7, still searching a solution ...




-----Message d'origine-----
De : Clem [mailto:[hidden email]]
Envoyé : mardi 12 juin 2012 15:51
À : [hidden email]
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Hello,

With the help of James, I'm now able to connect with my W7 clients to my exchange 2007 IIS6 RPC proxy through squid, same squid config as before (3.2.x), but newly 3.1.20 version with "tweak patch" from James Harper.

OWA, RPC PROXY (outlook anywhere) + Activesync are OK.

Before compiling squid, go to "src" directory, edit client_side_reply.cc, go to
--------------------->
 void
 clientReplyContext::cloneReply()
 {
     assert(reply == NULL);
 
     HttpReply *rep = http->storeEntry()->getReply()->clone();
 
     reply = HTTPMSGLOCK(rep);
 
     if (reply->sline.protocol == PROTO_HTTP) {
         /* enforce 1.0 reply version (but only on real HTTP traffic) */
     }
 
     /* do header conversions */
     buildReplyHeader();
 }
<-----------------------

 and remove or comment
----------------->
if (reply->sline.protocol == PROTO_HTTP) {
    /* enforce 1.0 reply version (but only on real HTTP traffic) */ }
<-----------------

Then I compiled squid with --enable-ssl, and use my squid.conf that worked for XP only, and tested on my W7 clients, and YES that works for them too !

Windowsxp sp3 + outlook 2007 -> works with login=DOMAIN\Adminuser:password in cache_peer but not with login=PASS
Windows7 SP2 + outlook 2010 -> works with login=DOMAIN\Adminuser:password in cache_peer AND with login=PASS

Dunno why in XP I can't use login=PASS, in my IIS6 logs I can see user windows credentials are properly sent but I think there something wrong happens with the reply, that doesn't happen with windows7.

Anyway that works, and I'll be able to test my squid frontend (+postfix to forward mails), and then in July on my new Exchange 2007 server with IIS7 (I'll tell you if that works too) !

Regards,

Clem


-----Message d'origine-----
De : Clem [mailto:[hidden email]]
Envoyé : lundi 14 mai 2012 13:33
À : 'Amos Jeffries'; [hidden email] Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

In the log, the exactly same sequence, on w7 it hangs, on xp it continues :

....:::::::::::::::::: Win7

2012/05/14 10:14:15.090| ctx: enter level  0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/14 10:14:15.090| HTTP Server local=ip_squid:49014 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/14 10:14:15.090| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive


----------
2012/05/14 10:14:15.091| ctx: exit level  0
2012/05/14 10:14:15.091| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/14 10:14:15.091| HTTP Client local=ip_squid:443 remote=ip_wan_client:51556 FD 11 flags=1
2012/05/14 10:14:15.091| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive


----------
2012/05/14 10:14:15.092| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dff1c8
2012/05/14 10:14:15.092| ACLChecklist::~ACLChecklist: destroyed 0x8dff1c8

And it hangs there ...

....:::::::::::::::::: Win7


....:::::::::::::::::: WinXP

2012/05/11 13:22:33.452| ctx: enter level  0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/11 13:22:33.452| HTTP Server local=ip_squid:46111 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/11 13:22:33.452| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive


----------
2012/05/11 13:22:33.452| ctx: exit level  0
2012/05/11 13:22:33.452| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/11 13:22:33.452| HTTP Client local=ip_squid:443 remote=ip_wan_client:1162 FD 11 flags=1
2012/05/11 13:22:33.452| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive


----------
2012/05/11 13:22:33.454| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dccea8
2012/05/11 13:22:33.454| ACLChecklist::~ACLChecklist: destroyed 0x8dccea8
2012/05/11 13:22:33.512| HTTP Client local= ip_squid:443 remote=ip_wan_client:1160 FD 8 flags=1
2012/05/11 13:22:33.512| HTTP Client REQUEST:
---------
RPC_IN_DATA /rpc/rpcproxy.dll? fqdn_exchange_server:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: mail.x.fr
Content-Length: 1073741824
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

................ and that continues ...

....:::::::::::::::::: WinXP


And no more infos why It's hanging



Clem


-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]] Envoyé : lundi 14 mai 2012 12:17 À : [hidden email] Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 14/05/2012 7:42 p.m., Clem wrote:

> Hi Amos,
>
> Thx for your answer.
>
> I'm still searching why my solution works with XP and only when I change 2 settings (lanmanager level, and disable msstd) on Windows7.
> So I use a cache.log with debug options to analyze more precisely, to see the difference between these two OS.
>
> When that doesn’t work on windows7, the request is "stuck" on RPC_OUT_DATA with a 200 success HTTP, sort of time out, and no infos, I've sniffed all I can, and nothing ...
>
> The only thing I can see in logs is the cookie header and the pragma "sessionid" on windows7. In XP there is no cookie header and pragma is "no-cache" only, no other values.

Hmm. Hanging usually means something somewhere is waiting expecting data somewhere.

Could be an HTTP object sent with wrong body size. Or another side channel somewhere expected to be working but not operating. Things like unexpected side channels seem to happen a lot with MS software IME.

>> Also, request_header_replace requires a previous "request_header_access deny ..." giving permission to remove existng header details before it can replace the content.
> Thx for this info, I'll test it today.
> If I write :
> request_header_access Cookie deny all
> request_header_replace Cookie none
>
> Does this disable cookie header ?

It erases all existing Cookie values and creates the header "Cookie: none".

Amos