[isalist] NTLM proxy authentication with Linux

• From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Mon, 7 Aug 2006 15:40:15 +1000

This drives me nuts, wonder if anyone can help on a work around!

Internal network - all web access is authenticated (company policy - document 
fair use policy in effect, user gets access when signed off by manager etc...)

ISA 2000 (single nic) box is deployed JUST to allow SSO authentication with IE 
(and now firefox!!! YAY) via NTLM auth.  Basic auth is not an option because of 
the obvious security implications of having everyones domain accoutn 
credentials oin the wire in clear text

proxy.domainname.com:8080 is the proxy setting for all clients.  Direct http 
outbound is not available (duh!)

So now I have a new requirement.  I have two LAN based Linux machines that need 
outbound http connections to get updates (normally - I use APS on my machine to 
do the auth for them and allow them an unauth'ed proxy access, but I need it 
permanently for a nagios check, so that is not exacly production worthy).

Now NTLM is a proprietry protocol, so if anyone says anything about lack of 
support for it being the cause of my problems, I will personally rip them a new 
ahole.  Unfortunately - it is also the only protocol that provides a level of 
security for the authentication process, and hence will continue to be our 
authentication method of choice.

So I SIMPLY wanted to add another rule above the normal one that allows 
authenticated http access via the proxy that says for these IPs, allow outbound 
httpp without authentication.

I cant use 'Direct Access' because I need access to ALL sites from CERTAIN 
hosts unauthenticated.

To work around it i have poked a hole in the firewall to get the machines out 
directly.

oh how id love to assign proxy access on a per rule basis!! or group basis!

Anyone got any suggestions.

and before you say it, If I uncheck the box (that says require authentication) 
on the web proxy filter, then anon connections are allowed. (The condition of 
being a member of the group WEBPROXY Users is not checked) so it doesnt work!

Greg

• Follow-Ups:
  • [isalist] Re: NTLM proxy authentication with Linux
    • From: Jim Harrison

Other related posts:

• » [isalist] NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux

1. Home
2. isalist
3. Archive
4. 08-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---