• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Upstream with SQUID

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Cache] >> Web Proxy Client >> Upstream with SQUID Page: [1]
Login
Message << Older Topic   Newer Topic >>
Upstream with SQUID - 7.Feb.2003 10:42:00 AM   
costi1010

 

Posts: 21
Joined: 14.Jan.2003
Status: offline
I want to forward the http request to an upstream
squid server.For this i have created a rule to route to an upstream server. That upstream server has got his realm for authentication which i have to use also. All the users behind my ISA should authenticate to that SQUID server. In the rule when i let the checkbox Use this account unselected, in the clients side i can get the authentication window from Squid, but in the html page which i get there are some missing images and links, and whenever i click another link i get something like
HTTP 502 Proxy Error - The ISA Server denies the specified URL.(12202)
But if i select that checkbos Use this account with a specific account and basic authentication then everithing is ok.
What can i do in ISA side in order to let the users being authenticated in squid side and of course to get all http requests in a html page ?
Costi
Post #: 1
RE: Upstream with SQUID - 8.Feb.2003 11:36:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Costi,

why should all the users behind the ISA authenticate to that SQUID server? In my opinion the users should authenticate to the ISA proxy server and the ISA proxy server should authenticate to the upstream SQUID server.

HTH,
Stefaan

(in reply to costi1010)
Post #: 2
RE: Upstream with SQUID - 10.Feb.2003 9:48:00 AM   
costi1010

 

Posts: 21
Joined: 14.Jan.2003
Status: offline
Hello,
The problem we have in our organization is that the users should fill in a special paper form for
accessing the internet. This form is approved from
the IT department which manage the squid proxy server. We belong to other branch IT department and we want to have ISA in house for our purpose.
But we have to configure the ISA in such way to allow the authentication pass to that Squid server.
Regards,
Costi

(in reply to costi1010)
Post #: 3
RE: Upstream with SQUID - 10.Feb.2003 3:32:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

Agreed. Access control should take place on the ISA Server. You can configured Web Proxy chaining if you need the downstream ISA Server to send credentials to the upstream server.

HTH,
Tom

(in reply to costi1010)
Post #: 4
RE: Upstream with SQUID - 11.Feb.2003 9:36:00 AM   
costi1010

 

Posts: 21
Joined: 14.Jan.2003
Status: offline
Hello all,

How can i do this in ISA side ?!, it seems that if i let that checkbox empty(the checkbox with credentials) i get authentication from squid upstream but further more the html page i got is not working properly, no images ....something strange it seems that somwhere in this chain some informations are lost ...maybe some TTL's.
Costi

(in reply to costi1010)
Post #: 5
RE: Upstream with SQUID - 11.Feb.2003 8:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Costi,

Check this out:

==================
FIX: Problems with Web Browser if ISA Server 2000 Is Chained to an Upstream Web Proxy Server

--------------------------------------------------------------------------------
The information in this article applies to:

Microsoft Internet Security and Acceleration Server 2000

--------------------------------------------------------------------------------
IMPORTANT : This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SYMPTOMS
If Internet Security and Acceleration (ISA) Server 2000 is chained to an upstream Web proxy server, you may experience unexpected delays, incomplete pages, random authentication warning messages, and so forth, when you browse the Web.

This behavior does not occur if the upstream proxy server requires NTLM authentication and the routing rule on the downstream server is configured to provide Integrated Authentication credentials to the upstream Web proxy server.

CAUSE
This behavior can occur if all of the following conditions are true:

The downstream ISA Server computer is configured to require integrated authentication (NTLM).

-and-

The upstream Web proxy server is not configured to require authentication (anonymous).

-and-

You are using Internet Explorer as your client browser.

Under certain circumstances, Internet Explorer sends an extraneous NTLM authentication header on a connection that has already been authenticated with the downstream ISA Server computer by using integrated authentication. This may cause the downstream ISA Server computer to pass those credentials to the upstream Web proxy server. Because these credentials are for the downstream ISA Server computer, the upstream proxy server may return unexpected delays or responses because it is unable to process the NTLM credentials. The downstream ISA Server computer then passes this HTTP response back to the Web browser, resulting in unexpected delays, authentication warning messages, or other effects on the client computer (running Internet Explorer).

RESOLUTION
Note that you must have ISA Server 2000 Service Pack 1 (SP1) installed on your computer before you apply the following fix.

For additional information about how to obtain ISA Server 2000 SP1, click the article number below to view the article in the Microsoft Knowledge Base:

Q313139 How to obtain the Latest Internet Security and Acceleration Server 2000 Service Pack
A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem. This fix may receive additional testing at a later time, to further ensure product quality. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp

NOTE : In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English-language version of this fix should have the following file attributes or later:
Date Time Version Size File name
--------------------------------------------------------
Mar-27-2002 14:10:00 3.0.1200.170 383,760 W3proxy.exe

STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article.

MORE INFORMATION
WARNING : Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

To implement the functionality in this fix and then enable it, follow these steps after you have installed the fix:

Stop the Web Proxy service.

Start Registry Editor.

Locate and select the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters
Create a new DWORD value named RemoveAllProxyAuthorization . Give this new value a data value of 1.

Restart the Web Proxy service.

To revert to the original configuration, either remove the RemoveAllProxyAuthorization registry value or change its data value to 0 (zero). After you make either change, restart the Web Proxy service.

REFERENCES
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

Q297080 Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy

--------------------------------------------------------------------------------
Additional query words : credential NTLM challenge response
Keywords :
Issue type : kbbug
===============

HTH,
Tom

(in reply to costi1010)
Post #: 6
RE: Upstream with SQUID - 14.Feb.2003 1:43:00 PM   
costi1010

 

Posts: 21
Joined: 14.Jan.2003
Status: offline
Hello All,
It seems that the new version of the file which comes from ISA Feature Pack1 from Microsoft W3PROXY.exe 3.0.1200.235 solved this problem without modifying any registry key. Anyway everthing seems to be OK except https requests which are not working at all. What should i do in order to make also the downstream proxy server to forward the https requests.In the bridging tab under the routing rule configuration i dit all
the changes without any success. Let me know if you have any idea about this.
Regards,
Costi

(in reply to costi1010)
Post #: 7
RE: Upstream with SQUID - 26.Feb.2003 10:15:00 AM   
costi1010

 

Posts: 21
Joined: 14.Jan.2003
Status: offline
Hello

As i mentioned with the new version of w3proxy.exe
the authentication is forwarded back to the ISA, but the problem is with https request. I know there are 2 ways to have https requests, tunneling and briging. Tunnelling is not working whenever there is an upstream proxy. Does anybody know how i can enable SSL outbound bridging using certificates ?
Regards,
Costi

(in reply to costi1010)
Post #: 8
RE: Upstream with SQUID - 26.Feb.2003 4:46:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Costi,

The upstream squid server should just pass the SSL packets, because it will not be able to decrypt the contents. Squid lacks the layer 7 sophistication of ISA Server, so it can't perform the necessary bridging, they'll just need to allow outbound TCP 443.

HTH,
Tom

(in reply to costi1010)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Cache] >> Web Proxy Client >> Upstream with SQUID Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts