[isalist] Re: NTLM proxy authentication with Linux

• From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Tue, 8 Aug 2006 11:57:51 +1000

http://www.ISAserver.org
-------------------------------------------------------
not sure whether its single its the limitation of my single nic solution or not but that doesnt work.

If i untick the "require all users.." button then any users in that group (ad users group) are allowed un authenticated access.

Greg

----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 08, 2006 11:31 AM
Subject: [isalist] Re: NTLM proxy authentication with Linux

http://www.ISAserver.org
-------------------------------------------------------

Nope.
You can have authentication without forcing it at the listener.
It's called "user-based rules".

-------------------------------------------------------
  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
-------------------------------------------------------

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
Sent: Monday, August 07, 2006 16:21
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: NTLM proxy authentication with Linux

http://www.ISAserver.org
-------------------------------------------------------

Then my authentication group which is a requirement becomes null and void as the authentication isnt checked. so that doesnt work for me

Greg
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 08, 2006 1:11 AM
Subject: [isalist] Re: NTLM proxy authentication with Linux

http://www.ISAserver.org
-------------------------------------------------------

Disable "require all users..." on the outbound web listener.
If you can't, then you can't have anonymous traffic through it.

-------------------------------------------------------
  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
-------------------------------------------------------

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Sunday, August 06, 2006 22:40
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] NTLM proxy authentication with Linux

This drives me nuts, wonder if anyone can help on a work around!

Internal network - all web access is authenticated (company policy -
document fair use policy in effect, user gets access when signed off by
manager etc...)

ISA 2000 (single nic) box is deployed JUST to allow SSO authentication with
IE (and now firefox!!! YAY) via NTLM auth.  Basic auth is not an option
because of the obvious security implications of having everyones domain
accoutn credentials oin the wire in clear text

proxy.domainname.com:8080 is the proxy setting for all clients.  Direct http
outbound is not available (duh!)

So now I have a new requirement.  I have two LAN based Linux machines that
need outbound http connections to get updates (normally - I use APS on my
machine to do the auth for them and allow them an unauth'ed proxy access,
but I need it permanently for a nagios check, so that is not exacly
production worthy).

Now NTLM is a proprietry protocol, so if anyone says anything about lack of
support for it being the cause of my problems, I will personally rip them a
new ahole.  Unfortunately - it is also the only protocol that provides a
level of security for the authentication process, and hence will continue to
be our authentication method of choice.

So I SIMPLY wanted to add another rule above the normal one that allows
authenticated http access via the proxy that says for these IPs, allow
outbound httpp without authentication.

I cant use 'Direct Access' because I need access to ALL sites from CERTAIN
hosts unauthenticated.

To work around it i have poked a hole in the firewall to get the machines
out directly.

oh how id love to assign proxy access on a per rule basis!! or group basis!

Anyone got any suggestions.

and before you say it, If I uncheck the box (that says require
authentication) on the web proxy filter, then anon connections are allowed.
(The condition of being a member of the group WEBPROXY Users is not checked)
so it doesnt work!

Greg

All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com ------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx

• References:
  • [isalist] Re: NTLM proxy authentication with Linux
    • From: Jim Harrison

Other related posts:

• » [isalist] NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux

1. Home
2. isalist
3. Archive
4. 08-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---