cancel
Showing results for 
Search instead for 
Did you mean: 
aleksije
Level 7

NTLM-passthrough in squid with Webgateway 7

Jump to solution

Hi,

I am migrating from Webwasher 6 to Webgateway 7, and in new setup there is a requirement that users are authenticated to Webgateway in order to have more granular filtering rules.

my configuration is such that all clients are accessing web through existing squid 3.1.10 proxy where they are NTLM authenticated.

Webgateway is a parent proxy for this squid, and is also configured for NTLM authentication. There is no possibility for users to connect directly to Webgateway.

Both servers can successfully authenticate users with NTLM.

However, when used in a proxy chain, authentication is broken in squid, and users are prompted for username/password by Webgateway, which I would obviously like to avoid.

Is it possible to make this setup work - users authenticated in squid, and the squid passes through authentication information, or at least username, to Webgateway.

This is the peer definition is squid:

cache_peer      ip.of.mc.affee     parent  8080 0 proxy-only no-query name=mcafee default no-digest login=PASS connection-auth=on

Test rule for database authentication is attached below.

Thanks for any directions on this.

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: NTLM-passthrough in squid with Webgateway 7

Jump to solution

Hello,

you cannot perform authentication on both, Squid and MWG. Instead you should forward the username to MWG. MWG can be used to obtain user groups from Active Directory via LDAP and use this to apply policies. To shift the username to MWG you should adjust the cache_peer directive. A while back I have used login=*:foo which caused Squid to sent a Proxy-Auth header with the original username followed by a "fake" password "foo".

On MWG I extraced the username and put it into Authentication.RawUsername. I think from there you can trigger Authentication.GetUserGroups to obtain the groups via LDAP, assuming the LDAP configuration is correct. This will fill the Authentication.UserGroups as required.

If I remember correctly I think I had set this up a while ago, so I assume it should work.

Best,

Andre

0 Kudos
2 Replies
asabban
Level 17

Re: NTLM-passthrough in squid with Webgateway 7

Jump to solution

Hello,

you cannot perform authentication on both, Squid and MWG. Instead you should forward the username to MWG. MWG can be used to obtain user groups from Active Directory via LDAP and use this to apply policies. To shift the username to MWG you should adjust the cache_peer directive. A while back I have used login=*:foo which caused Squid to sent a Proxy-Auth header with the original username followed by a "fake" password "foo".

On MWG I extraced the username and put it into Authentication.RawUsername. I think from there you can trigger Authentication.GetUserGroups to obtain the groups via LDAP, assuming the LDAP configuration is correct. This will fill the Authentication.UserGroups as required.

If I remember correctly I think I had set this up a while ago, so I assume it should work.

Best,

Andre

0 Kudos
aleksije
Level 7

Re: NTLM-passthrough in squid with Webgateway 7

Jump to solution

There is predefined ruleset 'Lookup Username From "Proxy-Authorization: Basic" Header' that does the trick.

Squid indeed sends base64 encoded header with username:foo, so your memory serves you well.

Message was edited by: aleksije on 12/22/12 1:08:40 AM CET

Message was edited by: aleksije on 12/22/12 1:09:02 AM CET
0 Kudos