[squid-users] R: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm from Guido Serassio on 2012-03-18 (squid-users)

From: Guido Serassio <guido.serassio_at_acmeconsulting.it>
Date: Sun, 18 Mar 2012 11:35:52 +0000

Hi Clem,

Currently it seems that a fully working reverse Proxy Open Source solution for Exchange 2007 and 2010 is not available.

Squid is really near to be fully functional, but there are still some problems.
Look my comments in this bug: http://bugs.squid-cache.org/show_bug.cgi?id=3141

Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled in front of a Exchange 2010 Server.
RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry clients is still problematic.

I have tried also to use 3.2, but things seems to be worse: RPC doesn't work at all.

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio_at_acmeconsulting.it
WWW: http://www.acmeconsulting.it

> -----Messaggio originale-----
> Da: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Inviato: venerdì 16 marzo 2012 11.54
> A: squid-users_at_squid-cache.org
> Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy
> ii6 exchange2007 with ntlm
>
> On 14/03/2012 11:32 p.m., Clem wrote:
> > Hello,
> >
> > Ok so I know exactly why squid can't forward ntlm credentials and stop
> at
> > type1. It's facing the double hop issue, ntlm credentials can be sent
> only
> > on one hop, and is lost with 2 hops like : client -> squid (hop1) ->
> IIS6
> > rpx proxy (hop2) -> exchange 2007
> >
> > That's why when I connect directly to my iis6 rpc proxy that works and
> when
> > I connect through squid that request login/pass again and again. And we
> can
> > clearly see that on https analyzes.
> >
> > ISA server has a workaround about this double hop issue as I have wrote
> in
> > my last mail, I don't know if squid can act like this.
> >
> > I'm searching atm how to set iis6 perhaps to resolve this problem, but I
> > don't want to "break" my exchange so I've to do my tests very carefully
>
> Cheers. I've added a mention of this to the NTLM issiues wiki page now
> for others to find along with the archive of these messages.
>
> Amos
Received on Sun Mar 18 2012 - 11:36:00 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 22 2012 - 12:00:03 MDT