We have several layers of Proxies:
User -> Region -> Region -> inner farm -|Firewall|-> DMZ farm
-|Firewall|-> Internet
User -----------> Region ->
User --------------------->
We do all our authentication/authorisation and filtering based on
user/group in the inner farm. Currently we mainly do authentication
based on the IP adress(-range) (around 95%) and only very few users are
authenticated via NTLM. However, we are under orders to change that in
the foreseeable future to pure NTLM. So that'll be for Proxy
authentication, server NTLM is only done within the intranet itself and
that's taken care of in the proxy settings of the clients.
BlueCoats for example allow such a scenario with a thing called "NTLM
forwarding". As far as I am aware that's not possible with Squid right
now. So I wonder if that'll be part of the upcoming Stable 2.6/3 as
we've to start planning for the nescessary changes rather soon.
-----Original Message-----
From: Adrian Chadd [mailto:adrian@creative.net.au]
Sent: Dienstag, 16. Mai 2006 09:44
To: Baumgaertel, Oliver
Cc: squid-dev@squid-cache.org
Subject: Re: NTLM forwarding in 2.6 ?
Are you referring to connection pinning so NTLM authentication works
through a proxy server?
On Tue, May 16, 2006, Baumgaertel, Oliver wrote:
>
> Hi.
>
> Are there any plans to add NTLM forwarding to the Stable 2.6 release?
>
> I ask because we will need that in the coming months and I'd like to
> safe the 30 or so squid boxes currently running in the third layer.
Else
> they'd surely follow the other 20 already replaced by BlueCoats.
>
> regards,
> Oliver Baumgaertel
Received on Tue May 16 2006 - 02:04:25 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:04 MDT