Hi,
We are migrating to Exchange from another Exchange-like product, and I still struggle with NTLM authentication for the remote users with Outlook (RCP over HTTPS).
The setup is:
- Firewall with Squid 2.6.18-1ubuntu3 (manually compiled to enable SSL)
- Exchange in the LAN
- Exchange-like product on the firewall, using Apache2 (still in production)
I found some examples on the net to proxy certain URL's to the local Apache and all other to Exchange.
For laptops, this setup works when I use Basic authentication, but that creates annoying password prompts when the laptop user is in the LAN.
Squid.conf:
visible_hostname mail.company.com
persistent_connection_after_error on
###############################################################################
# Exchange 2010
# extensions for Exchange RPC over HTTPS
extension_methods RPC_IN_DATA RPC_OUT_DATA
# We listen on 195.xxx.xxx.xxx, our primary line
# mail.company.com.crt is an official certificate
https_port 195.xxx.xxx.xxx:443 cert=/etc/ssl/keys/mail.company.com.crt key=/etc/ssl/keys/mail.company.com.pem defaultsite=mail.company.com
# We also listen on 212.xxx.xxx.xxx, a 2nd line for testing ActiveSync on Exchange
# 212.xxx.xxx.xxx.crt is a self generated certificate
https_port 212.xxx.xxx.xxx:443 cert=/etc/ssl/keys/212.xxx.xxx.xxx.crt key=/etc/ssl/keys/212.xxx.xxx.xxx.pem defaultsite=212.xxx.xxx.xxx
# localhost has Apache running, 192.168.xxx.xxx is the Exchange Server
cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/ssl/keys/mail.company.com.pem sslkey=/etc/ssl/keys/mail.company.com.pem name=webServer
cache_peer 192.168.xxx.xxx parent 443 0 proxy-only no-query no-digest originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER name=exchangeServer
# Send the ActiveSync on the main line to the local Apache for the Exchange-like product, which is still in use
acl web_url url_regex -i mail.company.com/Microsoft-Server-ActiveSync
# Send the webserver URLs to the webserver
cache_peer_access webServer allow web_url
# Send everything else to the Exchange server
cache_peer_access exchangeServer deny web_url
# This is to protect ourselves
never_direct allow web_url
# settings caching and logging
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
cache_log none
cache_store_log none
debug_options ALL, 8
access_log /var/log/squid/access.log squid
###############################################################################
# ACL - required to allow
acl all src 0.0.0.0/0.0.0.0
http_access allow all
miss_access allow all
So far this setup works for ActiveSync via the 2nd line.
Outlook Anywhere (RPC over HTTPS) only gives me this is access.log:
1265109372.999���� 23 10.11.11.149 TCP_MISS/401 430 RPC_IN_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
1265109372.999���� 20 10.11.11.149 TCP_MISS/401 430 RPC_OUT_DATA https://mail.company.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/exchangeServer text/html
Any thoughts on this setup?
How to fix NTLM auth for laptop users?
Thanks,
Toni Van Remortel
Received on Tue Feb 02 2010 - 11:53:44 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 02 2010 - 12:00:03 MST