On 27/03/2013 7:02 a.m., Damir Reic wrote:
> I can't find thorough info about what is implemented in squid 3 so i would
> like to know is this implemented:
>
> 1) Sharepoint from outside with squid proxy acting as http proxy with NTLM
> support
This is very unlikely to work. ... NTLM auth proper name is "LAN Manager
authentication" - this is authentication for *LAN* management. Using it
over the Internet varies from erratic success/fail to complete failure.
Squid requires some horribly nasty hacks which greatly reduce the
performance just to relay NTLM traffic around the LAN. Requiring every
network admin in the world to also compromise good performance in order
to let your Sharepoint traffic pass through them is not realistic - you
will always encounter networks which require high HTTP performance.
... the best thing you can do is to upgrade to Negotiate/Kerberos
instead of wasting time trying to get NTLM working on the WAN. It still
requires some performance reduction, but not nearly as many high-impact
problems as NTLM.
> 2) Outlook anywhere - RPC over HTTPS with NTLM auth
#1 RPC is a protocol using HTTP message structure and ports. It is not
explicitly implemented by Squid but since it uses HTTP messaging
structure Squid handles it as HTTP.
However that is dependent on exactly which "squid 3" version you are
talking about. HTTP/1.1 feature support has been progressivley added
from Squid-2.6 onwards and finally achieved sufficient feature
capabilities for 3.2+ to advertise themselves as HTTP/1.1 enabled. The
impact of this on RPC behaviour has at times been problematic as RPC
services required features not presented by older Squid or failed to
properly support features required by HTTP/1.1 used by Squid.
For instance, recent Sharepoint software versions have been found to
*assume* and *require* that all proxies in existence support HTTP/1.1
features which are not supported by the common Squid-3.1 and older
installations.
#2 NTLM auth does *not* play nicely with HTTP. It's replacement
Negotiate plays a lot nicer but still violates several critical HTTP
requirements. They are supported in HTTP proxies like Squid by use of
code hacks which break HTTP behaviour. As we have improved the code and
tried to make Squid follow correct HTTP behaviour properly sometimes the
HTTP changes have broken these auth and required re-fixing the code
doing those hacks.
Sorry for the rant-like text, but that is the situation. If possible
please use the latest Squid-3 release for best behaviour. It almost
completely works for both NTLM and Negotiate with the currently popular
Sharepoint versions. (There is one more fix in QA right now for both
Negotiate and NTLM, and I can't speak for any future discoveries).
> 3) Can i use multiple SSL certificates for proxy like i can do in apache?
How do you do it in Apache? what version of Apache? what version of
Squid? can you change your version of Squid if it is too old? - these
are critical information which you have omitted.
Amos
Received on Wed Mar 27 2013 - 04:10:59 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 27 2013 - 12:00:13 MDT