Re: [squid-users] NTLM and transparent/interception confusion

From: Guido Serassio <guido.serassio_at_acmeconsulting.it>
Date: Sat, 03 Jan 2009 11:14:55 +0100

Hi Kinkie,

At 18.45 02/01/2009, Kinkie wrote:
>Could you try to get a network trace of a successfully authenticated
>http transaction?
>I would love to see how they do it...

Websense too is using something similar for filtering:

They maintain an IP Address/Username table on the policy server. The
table can be populated using different ways:
- A logon agent, a little executable running on every client at logon time
- Direct query to the user workstation
- A DC agent that query DCs for user sessions

There isn't any kind of web browser authentication, and this solution
cannot work with non Windows clients or machine non domain member.
Multiuser terminal server environments cannot be supported and the WS
policy server should be Windows based and domain member for full functionality.

Regards

Guido

>Thanks!
>
>On 1/2/09, Johnson, S <sjohnson_at_edina.k12.mn.us> wrote:
> > That's too bad... I've set up numerous Bluecoat proxies and they do
> > have this capability. But of course, you're paying about $50k usd /
> > box.
> >
> > -----Original Message-----
> > From: Guido Serassio [mailto:guido.serassio_at_acmeconsulting.it]
> > Sent: Thursday, January 01, 2009 4:00 AM
> > To: Johnson, S; squid-users_at_squid-cache.org
> > Subject: Re: [squid-users] NTLM and transparent/interception confusion
> >
> > Hi,
> >
> > At 20.06 31/12/2008, Johnson, S wrote:
> >>I've been doing a lot of reading on this... I've got the proxy working
> >>in either of these two modes:
> >>1) As a browser configuration proxy
> >>2) with http_port 3128 transparent, in redirected mode
> >>
> >>I've got NTLM authentication working just fine with #1 above. However,
> >>with #2 I never get a password prompt. I don't really care about
> >>transparency; I just want to authenticate users that are outbound
> >>without having to configure their browser.
> >>
> >>I asked this question a couple of months back and there are people
> >>stating that they are doing the authentication with transparent mode.
> >>Some of the references I've found in my searches also seem to
> >>corroborate the possibility of this working (but it's not working for
> >>me). However, in the documentation it seems that this should not be
> >>possible. Am I barking up the wrong tree or is this truly possible?
> >
> > You cannot.
> >
> > Youa are mixing two very different and incompatible things:
> >
> > - Transparent/intercepting proxy
> > - NTLM transparent (silent) authentication, also known as Windows
> > integrated authentication
> > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe
> > 0e21e5c2903473c473d401533ac7
> >
> > Regards and happy New Year
> >
> > Guido
> >
> >
> >
> > -
> > ========================================================
> > Guido Serassio
> > Acme Consulting S.r.l. - Microsoft Certified Partner
> > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
> > Tel. : +39.011.9530135 Fax. : +39.011.9781115
> > Email: guido.serassio_at_acmeconsulting.it
> > WWW: http://www.acmeconsulting.it/
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
>
>
>--
> /kinkie

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio_at_acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Sat Jan 03 2009 - 10:15:27 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 03 2009 - 12:00:01 MST