[isalist] Re: NTLM proxy authentication with Linux

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Mon, 7 Aug 2006 10:14:53 -0500

http://www.ISAserver.org
-------------------------------------------------------

He "poked a hole in the firewall"

Ipecac time.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Monday, August 07, 2006 10:11 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: NTLM proxy authentication with Linux
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Disable "require all users..." on the outbound web listener. 
> If you can't, then you can't have anonymous traffic through it.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
> Sent: Sunday, August 06, 2006 22:40
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] NTLM proxy authentication with Linux
> 
> 
> This drives me nuts, wonder if anyone can help on a work around!
>  
> Internal network - all web access is authenticated (company 
> policy - document fair use policy in effect, user gets access 
> when signed off by manager etc...)
>  
> ISA 2000 (single nic) box is deployed JUST to allow SSO 
> authentication with IE (and now firefox!!! YAY) via NTLM 
> auth.  Basic auth is not an option because of the obvious 
> security implications of having everyones domain accoutn 
> credentials oin the wire in clear text
>  
> proxy.domainname.com:8080 is the proxy setting for all 
> clients.  Direct http outbound is not available (duh!)
>  
> So now I have a new requirement.  I have two LAN based Linux 
> machines that need outbound http connections to get updates 
> (normally - I use APS on my machine to do the auth for them 
> and allow them an unauth'ed proxy access, but I need it 
> permanently for a nagios check, so that is not exacly 
> production worthy).
>  
> Now NTLM is a proprietry protocol, so if anyone says anything 
> about lack of support for it being the cause of my problems, 
> I will personally rip them a new ahole.  Unfortunately - it 
> is also the only protocol that provides a level of security 
> for the authentication process, and hence will continue to be 
> our authentication method of choice.
>  
> So I SIMPLY wanted to add another rule above the normal one 
> that allows authenticated http access via the proxy that says 
> for these IPs, allow outbound httpp without authentication.
>  
> I cant use 'Direct Access' because I need access to ALL sites 
> from CERTAIN hosts unauthenticated.
>  
> To work around it i have poked a hole in the firewall to get 
> the machines out directly.
>  
> oh how id love to assign proxy access on a per rule basis!! 
> or group basis!
>  
> Anyone got any suggestions.
>  
> and before you say it, If I uncheck the box (that says 
> require authentication) on the web proxy filter, then anon 
> connections are allowed. (The condition of being a member of 
> the group WEBPROXY Users is not checked) so it doesnt work!
>  
> Greg
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: NTLM proxy authentication with Linux
    • From: Jim Harrison
  • [isalist] Re: NTLM proxy authentication with Linux
    • From: Greg Mulholland

Other related posts:

• » [isalist] NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux
• » [isalist] Re: NTLM proxy authentication with Linux

1. Home
2. isalist
3. Archive
4. 08-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---