2 Replies Latest reply on Dec 21, 2012 6:09 PM by aleksije

    NTLM-passthrough in squid with  Webgateway 7




      I am migrating from Webwasher 6 to Webgateway 7, and in new setup there is a requirement that users are authenticated to Webgateway in order to have more granular filtering rules.


      my configuration is such that all clients are accessing web through existing squid 3.1.10 proxy where they are NTLM authenticated.


      Webgateway is a parent proxy for this squid, and is also configured for NTLM authentication. There is no possibility for users to connect directly to Webgateway.


      Both servers can successfully authenticate users with NTLM.


      However, when used in a proxy chain, authentication is broken in squid, and users are prompted for username/password by Webgateway, which I would obviously like to avoid.


      Is it possible to make this setup work - users authenticated in squid, and the squid passes through authentication information, or at least username, to Webgateway.



      This is the peer definition is squid:


      cache_peer      ip.of.mc.affee     parent  8080 0 proxy-only no-query name=mcafee default no-digest login=PASS connection-auth=on


      Test rule for database authentication is attached below.


      Thanks for any directions on this.

        • 1. Re: NTLM-passthrough in squid with  Webgateway 7



          you cannot perform authentication on both, Squid and MWG. Instead you should forward the username to MWG. MWG can be used to obtain user groups from Active Directory via LDAP and use this to apply policies. To shift the username to MWG you should adjust the cache_peer directive. A while back I have used login=*:foo which caused Squid to sent a Proxy-Auth header with the original username followed by a "fake" password "foo".


          On MWG I extraced the username and put it into Authentication.RawUsername. I think from there you can trigger Authentication.GetUserGroups to obtain the groups via LDAP, assuming the LDAP configuration is correct. This will fill the Authentication.UserGroups as required.


          If I remember correctly I think I had set this up a while ago, so I assume it should work.




          • 2. Re: NTLM-passthrough in squid with  Webgateway 7

            There is predefined ruleset 'Lookup Username From "Proxy-Authorization: Basic" Header' that does the trick.


            Squid indeed sends base64 encoded header with username:foo, so your memory serves you well.


            Message was edited by: aleksije on 12/22/12 1:08:40 AM CET


            Message was edited by: aleksije on 12/22/12 1:09:02 AM CET