Squid Proxy

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid Proxy

Commandeur, Ed
Hello,

I'm really stuck at the moment using the Squid reverse proxy. I've seen on = the website a config for exchange rpc over HTTPs and I've set those setting= s using my own environment.

The reverse proxy works with owa and all the other exchange application exc= ept for RPC over HTTPS. It seems to be that the NTLM negotiating isn't forw= arded to our mailserver.

Here's my squid config

acl httptohttps myport 80
http_access deny httptohttps
deny_info https://<owa url>/ httptohttps

# extensions for Exchange RPC over HTTPS extension_methods RPC_IN_DATA RPC_OUT_DATA

# Publish the RPCoHTTP service via SSL
https_port <server ip>:443 accel cert=3Dc:/squid/etc/ssl/<wildcardcert>.crt=
 key=3Dc:/squid/etc/ssl/<wildcardcert>.key defaultsite=3D<owa url>

cache_peer <mailserver ip> parent 443 0 no-query originserver login=3DPASS = ssl sslflags=3DDONT_VERIFY_PEER sslcert=3Dc:/squid/etc/ssl/<wildcardcert>.c=
rt sslkey=3Dc:/squid/etc/ssl/<wildcardcert>.key name=3DexchangeServer

access_log c:/squid/var/logs/access.log

acl EXCH dstdomain <owa url>
acl all src 0.0.0.0/0.0.0.0

cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH

# Lock down access to just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all

I'm running the 2.7Stable8 version on a Windows 2008R2 SP1 server.

I get the following error in the access log when I try to open just the web= page to the RPC site

<my ip> TCP_DENIED/401 1733 GET https://<owa url>/rpc - NONE/- text/html

Someone got any idea?


With kind regards,

Ed Commandeur
information & media technology
systemadministrator
email: [hidden email]
Site: http://www.akn.nl

Reply | Threaded
Open this post in threaded view
|

RE: Squid Proxy

cl00m
Hello,

Squid can't handle ntlm to ntlm exchange 2007, this is the double hop issue,
I've found a workaround that is telling to squid to auth in basic then
client auth in ntlm, we have to modify exchange IISAuthentication to accept
both ntlm and basic, that works, but only with XP clients. For windows7
clients we have to use a lm or ntlm for lanmanserver level configuration on
security policies :

http://www.sevenforums.com/attachments/network-sharing/99233d1285088277-home
group-problem-lanmanserver-lanman-security-options.png

And you have to disable msstd option in Outlook :

http://2.bp.blogspot.com/_1_AwklpKUEc/SUmbOkOURDI/AAAAAAAAAVk/aoHPPaVVesI/s4
00/msstd.JPG

Else outlook anywhere via squid and ntlm will not work on Windows7 clients.

You can follow my thoughs over this topic subject : https analyze, squid rpc
proxy to rpc proxy ii6  exchange2007 with ntlm

I'm still searching for a solution ... Cause I've some external clients with
laptops (W7) and I don't want to manually configure them, I want my squid
Exchange frontal project to be whole transparent for my clients.

Regards

Clem

-----Message d'origine-----
De : Commandeur, Ed [mailto:[hidden email]]
Envoyé : mercredi 18 avril 2012 07:46
À : '[hidden email]'
Objet : [squid-users] Squid Proxy

Hello,

I'm really stuck at the moment using the Squid reverse proxy. I've seen on =
the website a config for exchange rpc over HTTPs and I've set those setting=
s using my own environment.

The reverse proxy works with owa and all the other exchange application exc=
ept for RPC over HTTPS. It seems to be that the NTLM negotiating isn't forw=
arded to our mailserver.

Here's my squid config

acl httptohttps myport 80
http_access deny httptohttps
deny_info https://<owa url>/ httptohttps

# extensions for Exchange RPC over HTTPS extension_methods RPC_IN_DATA
RPC_OUT_DATA

# Publish the RPCoHTTP service via SSL
https_port <server ip>:443 accel cert=3Dc:/squid/etc/ssl/<wildcardcert>.crt=
 key=3Dc:/squid/etc/ssl/<wildcardcert>.key defaultsite=3D<owa url>

cache_peer <mailserver ip> parent 443 0 no-query originserver login=3DPASS =
ssl sslflags=3DDONT_VERIFY_PEER sslcert=3Dc:/squid/etc/ssl/<wildcardcert>.c=
rt sslkey=3Dc:/squid/etc/ssl/<wildcardcert>.key name=3DexchangeServer

access_log c:/squid/var/logs/access.log

acl EXCH dstdomain <owa url>
acl all src 0.0.0.0/0.0.0.0

cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer
deny all never_direct allow EXCH

# Lock down access to just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all

I'm running the 2.7Stable8 version on a Windows 2008R2 SP1 server.

I get the following error in the access log when I try to open just the web=
page to the RPC site

<my ip> TCP_DENIED/401 1733 GET https://<owa url>/rpc - NONE/- text/html

Someone got any idea?


With kind regards,

Ed Commandeur
information & media technology
systemadministrator
email: [hidden email]
Site: http://www.akn.nl

Reply | Threaded
Open this post in threaded view
|

RE: Squid Proxy

Commandeur, Ed
Hello,

Thank you, but we are using Exchange 2010 SP1 (does that change anything) and the below workaround isn't workable for me. (we now have a running proxy on apache 2.0.54 on the site of our ISP, but they quit the support and maintenance on that one so we now want to do it ourselves).

Are there any more suggestions?

Regards,

Ed Commandeur

-----Oorspronkelijk bericht-----
Van: Clem [mailto:[hidden email]]
Verzonden: woensdag 18 april 2012 9:31
Aan: Commandeur, Ed; [hidden email]
Onderwerp: RE: [squid-users] Squid Proxy

Hello,

Squid can't handle ntlm to ntlm exchange 2007, this is the double hop issue, I've found a workaround that is telling to squid to auth in basic then client auth in ntlm, we have to modify exchange IISAuthentication to accept both ntlm and basic, that works, but only with XP clients. For windows7 clients we have to use a lm or ntlm for lanmanserver level configuration on security policies :

http://www.sevenforums.com/attachments/network-sharing/99233d1285088277-home
group-problem-lanmanserver-lanman-security-options.png

And you have to disable msstd option in Outlook :

http://2.bp.blogspot.com/_1_AwklpKUEc/SUmbOkOURDI/AAAAAAAAAVk/aoHPPaVVesI/s4
00/msstd.JPG

Else outlook anywhere via squid and ntlm will not work on Windows7 clients.

You can follow my thoughs over this topic subject : https analyze, squid rpc proxy to rpc proxy ii6  exchange2007 with ntlm

I'm still searching for a solution ... Cause I've some external clients with laptops (W7) and I don't want to manually configure them, I want my squid Exchange frontal project to be whole transparent for my clients.

Regards

Clem

-----Message d'origine-----
De : Commandeur, Ed [mailto:[hidden email]] Envoyé : mercredi 18 avril 2012 07:46 À : '[hidden email]'
Objet : [squid-users] Squid Proxy

Hello,

I'm really stuck at the moment using the Squid reverse proxy. I've seen on = the website a config for exchange rpc over HTTPs and I've set those setting= s using my own environment.

The reverse proxy works with owa and all the other exchange application exc= ept for RPC over HTTPS. It seems to be that the NTLM negotiating isn't forw= arded to our mailserver.

Here's my squid config

acl httptohttps myport 80
http_access deny httptohttps
deny_info https://<owa url>/ httptohttps

# extensions for Exchange RPC over HTTPS extension_methods RPC_IN_DATA RPC_OUT_DATA

# Publish the RPCoHTTP service via SSL
https_port <server ip>:443 accel cert=3Dc:/squid/etc/ssl/<wildcardcert>.crt=
 key=3Dc:/squid/etc/ssl/<wildcardcert>.key defaultsite=3D<owa url>

cache_peer <mailserver ip> parent 443 0 no-query originserver login=3DPASS = ssl sslflags=3DDONT_VERIFY_PEER sslcert=3Dc:/squid/etc/ssl/<wildcardcert>.c=
rt sslkey=3Dc:/squid/etc/ssl/<wildcardcert>.key name=3DexchangeServer

access_log c:/squid/var/logs/access.log

acl EXCH dstdomain <owa url>
acl all src 0.0.0.0/0.0.0.0

cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH

# Lock down access to just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all

I'm running the 2.7Stable8 version on a Windows 2008R2 SP1 server.

I get the following error in the access log when I try to open just the web= page to the RPC site

<my ip> TCP_DENIED/401 1733 GET https://<owa url>/rpc - NONE/- text/html

Someone got any idea?


With kind regards,

Ed Commandeur
information & media technology
systemadministrator
email: [hidden email]
Site: http://www.akn.nl