http://www.ISAserver.org ------------------------------------------------------- He "poked a hole in the firewall" Ipecac time. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Monday, August 07, 2006 10:11 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: NTLM proxy authentication with Linux > > http://www.ISAserver.org > ------------------------------------------------------- > > Disable "require all users..." on the outbound web listener. > If you can't, then you can't have anonymous traffic through it. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland > Sent: Sunday, August 06, 2006 22:40 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] NTLM proxy authentication with Linux > > > This drives me nuts, wonder if anyone can help on a work around! > > Internal network - all web access is authenticated (company > policy - document fair use policy in effect, user gets access > when signed off by manager etc...) > > ISA 2000 (single nic) box is deployed JUST to allow SSO > authentication with IE (and now firefox!!! YAY) via NTLM > auth. Basic auth is not an option because of the obvious > security implications of having everyones domain accoutn > credentials oin the wire in clear text > > proxy.domainname.com:8080 is the proxy setting for all > clients. Direct http outbound is not available (duh!) > > So now I have a new requirement. I have two LAN based Linux > machines that need outbound http connections to get updates > (normally - I use APS on my machine to do the auth for them > and allow them an unauth'ed proxy access, but I need it > permanently for a nagios check, so that is not exacly > production worthy). > > Now NTLM is a proprietry protocol, so if anyone says anything > about lack of support for it being the cause of my problems, > I will personally rip them a new ahole. Unfortunately - it > is also the only protocol that provides a level of security > for the authentication process, and hence will continue to be > our authentication method of choice. > > So I SIMPLY wanted to add another rule above the normal one > that allows authenticated http access via the proxy that says > for these IPs, allow outbound httpp without authentication. > > I cant use 'Direct Access' because I need access to ALL sites > from CERTAIN hosts unauthenticated. > > To work around it i have poked a hole in the firewall to get > the machines out directly. > > oh how id love to assign proxy access on a per rule basis!! > or group basis! > > Anyone got any suggestions. > > and before you say it, If I uncheck the box (that says > require authentication) on the web proxy filter, then anon > connections are allowed. (The condition of being a member of > the group WEBPROXY Users is not checked) so it doesnt work! > > Greg > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx