http://www.ISAserver.org ------------------------------------------------------- "Silly Bugger Sysadmin" syndrome... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, August 07, 2006 08:15 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: NTLM proxy authentication with Linux http://www.ISAserver.org ------------------------------------------------------- He "poked a hole in the firewall" Ipecac time. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Monday, August 07, 2006 10:11 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: NTLM proxy authentication with Linux > > http://www.ISAserver.org > ------------------------------------------------------- > > Disable "require all users..." on the outbound web listener. > If you can't, then you can't have anonymous traffic through it. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland > Sent: Sunday, August 06, 2006 22:40 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] NTLM proxy authentication with Linux > > > This drives me nuts, wonder if anyone can help on a work around! > > Internal network - all web access is authenticated (company policy - > document fair use policy in effect, user gets access when signed off > by manager etc...) > > ISA 2000 (single nic) box is deployed JUST to allow SSO authentication > with IE (and now firefox!!! YAY) via NTLM auth. Basic auth is not an > option because of the obvious security implications of having > everyones domain accoutn credentials oin the wire in clear text > > proxy.domainname.com:8080 is the proxy setting for all clients. > Direct http outbound is not available (duh!) > > So now I have a new requirement. I have two LAN based Linux machines > that need outbound http connections to get updates (normally - I use > APS on my machine to do the auth for them and allow them an unauth'ed > proxy access, but I need it permanently for a nagios check, so that is > not exacly production worthy). > > Now NTLM is a proprietry protocol, so if anyone says anything about > lack of support for it being the cause of my problems, I will > personally rip them a new ahole. Unfortunately - it is also the only > protocol that provides a level of security for the authentication > process, and hence will continue to be our authentication method of > choice. > > So I SIMPLY wanted to add another rule above the normal one that > allows authenticated http access via the proxy that says for these > IPs, allow outbound httpp without authentication. > > I cant use 'Direct Access' because I need access to ALL sites from > CERTAIN hosts unauthenticated. > > To work around it i have poked a hole in the firewall to get the > machines out directly. > > oh how id love to assign proxy access on a per rule basis!! > or group basis! > > Anyone got any suggestions. > > and before you say it, If I uncheck the box (that says require > authentication) on the web proxy filter, then anon connections are > allowed. (The condition of being a member of the group WEBPROXY Users > is not checked) so it doesnt work! > > Greg > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx