[isalist] Re: NTLM proxy authentication with Linux
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 7 Aug 2006 08:17:32 -0700
http://www.ISAserver.org
-------------------------------------------------------
"Silly Bugger Sysadmin" syndrome...
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Monday, August 07, 2006 08:15
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: NTLM proxy authentication with Linux
http://www.ISAserver.org
-------------------------------------------------------
He "poked a hole in the firewall"
Ipecac time.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Monday, August 07, 2006 10:11 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: NTLM proxy authentication with Linux
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Disable "require all users..." on the outbound web listener.
> If you can't, then you can't have anonymous traffic through it.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
> Sent: Sunday, August 06, 2006 22:40
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] NTLM proxy authentication with Linux
>
>
> This drives me nuts, wonder if anyone can help on a work around!
>
> Internal network - all web access is authenticated (company policy -
> document fair use policy in effect, user gets access when signed off
> by manager etc...)
>
> ISA 2000 (single nic) box is deployed JUST to allow SSO authentication
> with IE (and now firefox!!! YAY) via NTLM auth. Basic auth is not an
> option because of the obvious security implications of having
> everyones domain accoutn credentials oin the wire in clear text
>
> proxy.domainname.com:8080 is the proxy setting for all clients.
> Direct http outbound is not available (duh!)
>
> So now I have a new requirement. I have two LAN based Linux machines
> that need outbound http connections to get updates (normally - I use
> APS on my machine to do the auth for them and allow them an unauth'ed
> proxy access, but I need it permanently for a nagios check, so that is
> not exacly production worthy).
>
> Now NTLM is a proprietry protocol, so if anyone says anything about
> lack of support for it being the cause of my problems, I will
> personally rip them a new ahole. Unfortunately - it is also the only
> protocol that provides a level of security for the authentication
> process, and hence will continue to be our authentication method of
> choice.
>
> So I SIMPLY wanted to add another rule above the normal one that
> allows authenticated http access via the proxy that says for these
> IPs, allow outbound httpp without authentication.
>
> I cant use 'Direct Access' because I need access to ALL sites from
> CERTAIN hosts unauthenticated.
>
> To work around it i have poked a hole in the firewall to get the
> machines out directly.
>
> oh how id love to assign proxy access on a per rule basis!!
> or group basis!
>
> Anyone got any suggestions.
>
> and before you say it, If I uncheck the box (that says require
> authentication) on the web proxy filter, then anon connections are
> allowed. (The condition of being a member of the group WEBPROXY Users
> is not checked) so it doesnt work!
>
> Greg
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
