Hi Prasanta,
This helps very much. Is an interesting option. And led me to a new problem
that I don't understand why is happening.
When I changed this, Squid didn't deny any connection.
But the user still couldn't connect.
The strange thing here was that the firewall discovered that the user's PC
tried to connect first through squid (and could do it), but then tried to
connect DIRECTLY to port 1863 of 207.46.104.20 (and the connection was
denied). When had to give him this access to this port via the firewall, and
even NAT translation.
Why does it try to connect DIRECTLY? I guess this is not on this list's
scope anymore. It may be something purely about MSN...
Anyway, if anybody knows the answer I'd like to know.
Thanks for all your help.
Regards,
--Claudio
>From: "Prasanta kumar Panda" <prasanta.kumar@wipro.com>
>To: "Claudio Alonso" <cfa71@hotmail.com>, <GDominguez@mteliza.com.au>,
><squid-users@squid-cache.org>
>Subject: RE: [squid-users] MSN Messenger an wb_ntlmauth
>Date: Thu, 20 Mar 2003 20:18:33 +0530
>
>
>MSN supports authentication?
>
>For me it didn't worked either through basic or NTLM. Contacted MSN support
>but they didn't reveled the same.
>
>
>#Finally I created a acl for all the clients required MSN access with their
>IP address
>
>acl msoft_msn src 10.10.10.10 10.10.10.11
>
>#Create a acl for MSN destination
>
>acl msn dst 207.46.104.20 207.46.110.0/24
>
>#Combined both
>
>http_access allow msoft_msn msn
>
>
>
>So that only msn access will not ask for authentication, rest of all as
>usual.
>
>Reg.
>Prasanta
>
>
>-----Original Message-----
>From: Claudio Alonso [mailto:cfa71@hotmail.com]
>Sent: Thursday, March 20, 2003 7:33 PM
>To: GDominguez@mteliza.com.au; squid-users@squid-cache.org
>Subject: Re: [squid-users] MSN Messenger an wb_ntlmauth
>
>
>Hello, George.
>Thanks for your answer. Sadly, your suggestion didn't work. This was almost
>the same way we had MSN messenger configured here, and changing the
>difference didn't work.
>I have to say that because of firewall rules, users aren't allowed to
>access
>the external world without a proxy. We made a temporal rule in the firewall
>for one user to be able to get out directly (but configured his wks to use
>the proxy) and he could connect, but it seems that when messenger realizes
>that can't connect through the proxy, tries the direct connection. As you
>could expect, when we deleted this rule in the firewall, the user wasn't
>able to connect anymore.
>I'm pretty sure that the problem is in the configuration file I have in my
>squid server. I'll try to figure it out and if I solve it I'll let you
>know.
>Thanks again!
>Any additional help would be appreciated.
>Kind regards,
>
>--Claudio
>
>
>
>
>
>
> >From: "George Dominguez" <GDominguez@mteliza.com.au>
> >To: squid-users@squid-cache.org
> >Subject: Re: [squid-users] MSN Messenger an wb_ntlmauth
> >Date: Thu, 20 Mar 2003 10:08:19 +1100
> >
> >
> >This is just a clue! but this is how we got msn working in the studen's
> >lab:
> >
> >Change the msn connections to HTTP proxy, port 3128, server x.x.x.x
> >(open msn messenger window, click Tools, Options, Connections Tab),
> >click ok and exit out..
> >
> >On the desktop, right click Network places, click properties, right
> >click Local Area Network, select properties, select TCP/IP protocol,
> >select properties, select advanced, click on WINS tab, Click on Enable
> >LMHosts lookup. click ok to get out.
> >
> >make this entry in in the wks hosts file 207.46.104.20
> >messenger.hotmail.com #207.46.104.20:1863
> >
> >Shutdown, restart and login, open MSN messenger, tools, options, ensure
> >connections are HTTP proxy, port 3128, server x.x.x.x clickok.
> >
> >Good luck
> >
> >Regards
> >George
> >
> >
> >
> >
> > "Claudio Alonso"
> > <cfa71@hotmail.co To:
> >squid-users@squid-cache.org
> > m> cc:
> > Subject: Re:
> >[squid-users]
> >MSN Messenger an wb_ntlmauth
> > 19/03/2003 12:50
> > PM
> >
> >
> >
> >
> >
> >
> >Sorry, I forgot to say...
> >I'm using squid-2.5.STABLE1 on a Sun Solaris 8.
> >Thanks again,
> >
> >--Claudio
> >
> >
> > >From: "Claudio Alonso" <cfa71@hotmail.com>
> > >To: squid-users@squid-cache.org
> > >Subject: [squid-users] MSN Messenger an wb_ntlmauth
> > >Date: Wed, 19 Mar 2003 09:55:48 -0300
> > >
> > >Hello everybody!
> > >I finally got squid with wb_ntlmauth working perfectly. Only the
> > >users
> >that
> > >belong to the group InternetSquid (in the Win NT domain) can access
> > >the web. But now I need to give some users access to MSN Messenger.
> > >If I disable wb_ntlmauth, all the users can use Messenger.
> > >If I give some users direct access (I mean IP validation previous to
> > >wb_ntlmauth), they can use Messenger.
> > >But I need to do it based on the user's group.
> > >Besides, if I look at the log file, I see that squid usually gets
>domain
> > >and username from the computers that are accessing with Internet
>Explorer
> > >(and also with Netscape and Mozilla via basic authentication). But when
> > >they try to access MSN via MSN Messenger, they don't inform the user
>data
> > >(at least, it doesn't show in the log file). I think Messenger is
> >properly
> >
> > >configured (it's configured with proxy address, username and password),
> >so
> >
> > >the problem may be in my configuration file.
> > >Can anybody give me a clue?
> > >I'm copying the entries from my squid.conf file.
> > >Thanks in advance,
> > >
> > >--Claudio
> > >
> > >
> > >#squid.conf begins
> > >
> > >http_port 8080
> > >hierarchy_stoplist cgi-bin ?
> > >acl QUERY urlpath_regex cgi-bin \?
> > >no_cache deny QUERY
> > >cache_dir ufs /usr/local/squid/var/cache 100 16 256
> > >auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
> > >auth_param ntlm children 15
> > >auth_param ntlm max_challenge_reuses 0
> > >auth_param ntlm max_challenge_lifetime 2 minutes
> > >auth_param basic program /usr/local/squid/libexec/wb_auth
> > >auth_param basic children 15
> > >auth_param basic realm Squid proxy-caching web server
> > >auth_param basic credentialsttl 2 hours
> > >external_acl_type wbinfo_group %LOGIN
> > >/usr/local/squid/libexec/wbinfo_group.pl
> > >refresh_pattern ^ftp: 1440 20% 10080
> > >refresh_pattern ^gopher: 1440 0% 1440
> > >refresh_pattern . 0 20% 4320
> > >acl all src 0.0.0.0/0.0.0.0
> > >acl manager proto cache_object
> > >acl localhost src 127.0.0.1/255.255.255.255
> > >acl to_localhost dst 127.0.0.0/8
> > >acl SSL_ports port 443 563
> > >acl Safe_ports port 80 # http
> > >acl Safe_ports port 21 # ftp
> > >acl Safe_ports port 443 563 # https, snews
> > >acl Safe_ports port 70 # gopher
> > >acl Safe_ports port 210 # wais
> > >acl Safe_ports port 1025-65535 # unregistered ports
> > >acl Safe_ports port 280 # http-mgmt
> > >acl Safe_ports port 488 # gss-http
> > >acl Safe_ports port 591 # filemaker
> > >acl Safe_ports port 777 # multiling http
> > >acl CONNECT method CONNECT
> > >acl internet-group external wbinfo_group InternetSquid
> > >http_access allow manager localhost
> > >http_access deny manager
> > >http_access deny !Safe_ports
> > >http_access deny CONNECT !SSL_ports
> > >http_access allow internet-group
> > >http_access deny all
> > >http_reply_access allow all
> > >icp_access allow all
> > >visible_hostname SquidProxy
> > >coredump_dir /usr/local/squid/var/cache
> > >
> > >#squid.conf finishes
> > >
> > >
> > >_________________________________________________________________
> > >Charla con tus amigos en l�nea mediante MSN Messenger:
> > >http://messenger.yupimsn.com/
> > >
> >
> >
> >_________________________________________________________________
> >Charla con tus amigos en l�nea mediante MSN Messenger:
> >http://messenger.yupimsn.com/
> >
> >
> >
> >
> >
> >=====================================================
> >Privileged/Confidential Information may be contained in this message. If
> >you are not the addressee (or responsible for delivery of the message to
> >the addressee), you may not copy or deliver this message to anyone. In
>such
> >a case, you should destroy this message and kindly notify the sender by
> >reply e-mail. Opinions, conclusions and other information in this message
> >that do not relate to the official business of my employer shall be
> >understood as neither given nor endorsed by it.
> >
> >
>
>
>_________________________________________________________________
>Charla con tus amigos en l�nea mediante MSN Messenger:
>http://messenger.yupimsn.com/
>
><< Prasanta(prasanta.kumar@wipro.com).vcf >>
><< Wipro_Disclaimer.txt >>
_________________________________________________________________
Charla con tus amigos en l�nea mediante MSN Messenger:
http://messenger.yupimsn.com/
Received on Thu Mar 20 2003 - 08:46:08 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:11 MST