RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Hi,

My report with windows7 -> squid -> outlook anywhere with NTLM

I have to modify Windows7 local policies for lanmanager to -> LM and NTLM only, by default windows7 sends NTLMv2 only, and squid is handled only LM, when I chose NTLM only, that doesn't work either.

Plus that, I have to disable the "connect only to server proxy certificate that use this principal (common) name : msstd : externalfqdn" in HTTP PROXY of Outlook (2007/2010).

With this two settings I can connect to my exchange via squid, but it's not very easy ... My goal is to not modify parameters on my laptop external clients...

When this options aren't modified, the issue is clearly the same, two TPC_MISS 200 messages and nothing, and "server is unavailable". Even in http1.0 or http1.1, I've tested with 2.7 (http11 option), 3.1.19 (http 1.0) and 3.2.0.16 (http1.1)

How can squid can send ntlmv2 sequences ? How squid can fake a "msstd: CN" message ?

Squid can work with XP in native, but with window7 it's not very clearly simple ://

Regards

Clem

-----Message d'origine-----
De : Clem [mailto:clemfree_at_free.fr]
Envoyé : lundi 2 avril 2012 16:20
À : squid-users_at_squid-cache.org
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?

Whether I write this option in cache_peer or not, no change ...

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz] Envoyé : lundi 2 avril 2012 16:00 À : squid-users_at_squid-cache.org Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 3/04/2012 1:33 a.m., Clem wrote:
> Re,
>
> I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
> Msstd : externalfqdn
>
> When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
> In windows XP, checked or not, that works.
>
> By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...
>
> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>
> Have you an idea ?

Strange. Smells like a bug in Windows7 or a domain policy being pushed out.

Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?

Amos
Received on Tue Apr 03 2012 - 11:34:20 MDT