LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/howto/linuxdoc/Web-Browsing-Behind-ISA-Ser...

350 lines
14 KiB
Plaintext
Raw Permalink Blame History

<!doctype linuxdoc system>
<!--
Web Browsing behind ISA Server using linux based browsers.
-->
<!-- Title information -->
<article>
<titlepag>
<title>Web Browsing Behind ISA Server HOWTO</title>
<author>by Raheel Abdul Hameed (<tt/raheel at raheelhameed dot com/)</author>
<date>v1.0, April 2003 - Initial Release, reviewed by LDP</date>
<abstract>
If you are using a Linux box connected to a Windows-based ISA server, this article will
help you set things up so you can browse the web from your Linux
machine. I decided to write this article because I experienced similar issues, and
after some digging found some ways to web-enable my cute Linux machine. So here is this
article with the hope that you'll like it and find it useful. Any feedback will be
appreciated, especially in the patch form :)
</abstract>
</titlepag>
<!-- Table of contents -->
<toc>
<!-- Introduction -->
<sect>
<heading>Introduction</heading>
<p>
This section first discusses some legal matters, requisites, uses of this document and links where its latest version can be found.
<sect1>
<heading>Copyright</heading>
<p>
This document is Copyright (c) 2003 by Raheel Abdul Hameed
<p>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
<p>
For the full text of the license, please visit
<url url="http://www.gnu.org/copyleft/fdl.html" name="GNU Free Documentation License">.
<sect1>
<heading>Disclaimer</heading>
<p>
Use the information in this document at your own risk. I disavow any
potential liability for the contents of this document. Use of the
concepts, examples, and/or other content of this document is entirely
at your own risk.
All copyrights are owned by their owners, unless specifically noted
otherwise. Use of a term in this document should not be regarded as
affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
You are strongly recommended to take a backup of your system before
major installation and backups at regular intervals.
<sect1>
<heading>Getting the latest version</heading>
<p>
The latest version of this document is available at
<htmlurl url="http://www.tldp.org/HOWTO/Web-Browsing-Behind-ISA-Server.html"
name="http://www.tldp.org/HOWTO/Web-Browsing-Behind-ISA-Server.html">
</sect1>
<sect1>
<heading>Requisites</heading>
<p>
This document assumes that you are familiar with editing files using any
of your favorite text editors, as it talks about editing a configuration file.
Some familiarity with ISA server configuration is also favorable, but not necessary.
</sect1>
<sect1>
<heading>Uses of this document</heading>
<p> This document tries to be useful in the following situations:
<itemize>
<item> You have a Windows machine running ISA Server as a proxy
that connects to internet.
<item> You have a Linux machine where you want to run your browser
to browse the web behind ISA Server proxy.
<item> You are sick of using Windows to browse the net.
<item> You are a complete nerd and read every HOWTO available.
</itemize>
</sect1>
<sect1>
<heading>Translations</heading>
<p> No translations done yet.
<!--
<p> Language: by ABC (user at domain)
<htmlurl name="is here" url="http://abc/dir">
-->
<p> If you made or have any information about any translation of this document,
please, email it to me so I update this section.
</sect1>
<!-- History goes here!
<sect1>
History
<p> History line 1.
</sect1>
-->
</sect>
<!-- ISA Server -->
<sect>
<heading>ISA Server</heading>
<p>
<!-- Few words on ISA Server -->
<sect1>
<heading>A few words on ISA Server</heading>
<p>
ISA Server provides many important networking functions that include Firewalling,
Web-cache, Policy-based Administration, Dynamic IP Filtering, VPN Support, Intrusion
Detection, NAT and reporting. While being a robust solution for Windows-based clients,
its a pain for Linux users because most of the Linux-based browsers do not
appear to be working behind it. The term 'appear to be' is used because there are some
known workouts for this.
</sect1>
<!-- Why it doesn't work? -->
<sect1>
<heading>Why doesn't it work?</heading>
<p>
While running Windows-based clients behind ISA Server, have you noticed that normally
you could browse using only Internet Explorer, and not using other browsers like
Netscape? This is because ISA server uses an authentication mechanism it
calls 'Integrated Authentication.' When Internet Explorer contacts ISA server to
request a page, along with every request it sends a hash that the server uses to
authenticate you as a legitimate domain user [You can verify this fact by sniffing
some packets while you browse, just check the request header that your browser
sends to the ISA server]. This authentication method is not supported by other
browsers, which is why it renders most of the browsers useless.
</p>
<p>
The following sections will tell you about two methods to enable your Linux-based
browser to browse the net.
</sect1>
</sect>
<!-- Method #1 - Enable Basic Authentication -->
<sect>
<heading>Method #1 - Enable Basic Authentication</heading>
<p>
As mentioned above, due to Integrated Authentication support configured on ISA
server, third party browsers do not work behind it. In this situation you can make use of
another authentication scheme called 'Basic Authentication', commonly supported by
most browsers and most importantly by ISA Server too. If you work in a security
conscious environment this method is not recommended since during basic
authentication, the username and password sent are loosely encrypted.
</p>
<p>
The point here is that to proceed with this method you will have to make sure that you
have legitimate access over configuring the ISA Server. If you cannot access the server
configuration console, then move on to the second method in the following section.
<!-- Server Side Configuration -->
<sect1>
<heading>Server Side Configuration</heading>
<p>
All you need to do is fire up 'ISA Management' and follow these steps:
<enum>
<item> Right-click your server and click on Properties.
<item> Go to the Outgoing Web Requests tab, click the configured listener that you want to change, and then click Edit.
<item> Click Basic authentication, and then select the domain in which the accounts exist that you want to authenticate.
<item> Now it's time to move on to your Linux-based browser.
</enum>
</sect1>
<!-- Client Side Configuration -->
<sect1>
<heading>Client Side Configuration</heading>
<p>
In particular, we will take Netscape as an example here.
<enum>
<item> Start Netscape Communicator.
<item> Click on the Edit menu and click Preferences.
<item> Expand 'Advanced' node and click on 'Proxies'; you will see some options on the left.
<item> Click on Manual proxy configuration, then click on the View button.
<item> Put your ISA Server's IP address in the HTTP: box and the port where web cache is listening (usually 8080, depends what you set).
<item> Click on OK to confirm your changes.
<item> You will return back to the Preferences dialog.
<item> Click on OK to apply your changes.
</enum>
Load up a test url in your browser, it will ask you for authentication information,
In place of user, type DOMAIN&bsol;USER, where your DOMAIN being the Windows domain,
and USER being a legitimate domain user. In place of password, type the
user's password. Click on OK to continue. For example:
<code>
User: CABLENET&bsol;Raheel
Password: Mypassword
Where CABLENET is my domain, Raheel is the user id
and Mypassword is my password.
</code>
You should now see the page loading successfully. If you use a different browser
you will need to explore and see if it supports Basic Authentication.
</sect1>
</sect>
<!-- Method #2 - NTLM Authorization Proxy Server -->
<sect>
<heading>Method #2 - NTLM Authorization Proxy Server</heading>
<p>
NTLM Authorization Proxy Server is proxy server-like software that just provides NTLM
authentication in between your browser and ISA Server, and makes the server believe
it's talking to Internet Explorer. It does this by adding NTLM authorization strings to the
request headers. It is written in the Python language by Dmitry Rozmanov [nice work
dude!]. See <htmlurl name="www.python.org" url="http://www.python.org">.
Most linux distributions come bundled with a Python interpreter.
<!-- Getting NTLMAPS -->
<sect1>
<heading>Getting NTLMAPS</heading>
<p>
The NTLMAPS project home page is located at <htmlurl name="http://ntlmaps.sourceforge.net/" url="http://ntlmaps.sourceforge.net/">.
You can directly go to the download page at <htmlurl name="http://sourceforge.net/project/showfiles.php?group_id=69259" url="http://sourceforge.net/project/showfiles.php?group_id=69259">. The recent version at the time of writing this document is 0.9.8.
</sect1>
<!-- Installing NTLMAPS -->
<sect1>
<heading>Installing NTLMAPS</heading>
<p>
Once you have downloaded NTLMAPS, you can extract it into the directory of your choice:
<code>
tar xzvf apsxxx.tar.gz
cd apsxxx
where 'xxx' is the version number.
</code>
</sect1>
<!-- Quick Configuration -->
<sect1>
<heading>Quick Configuration</heading>
<p>
Load up <file>server.cfg</file> in your favorite editor. Locate the lines:
<code>
LISTEN_PORT:5865
# If you want APS to authenticate you at WWW servers using NTLM then just leave this
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
# And NOTE that NTLM cannot pass through another proxy server.
PARENT_PROXY:your_parentproxy
PARENT_PROXY_PORT:8080
</code>
By default, NTLMAPS listens on port 5865. You can change it to any port number of
your choice. You need to replace 'your_parentproxy' with the IP address of your
ISA Server. Put ISA Server's web cache port in PARENT_PROXY_PORT.
<p>
Now, locate the lines:
<code>
# Windows Domain.
# NOTE: it is not full qualified internet domain, but windows network domain.
NT_DOMAIN:your_domain
# What user's name to use during authorization. It may differ form real current username.
USER:username_to_use
# Password. Just leave it blank here and server will request it at the start time.
PASSWORD:your_nt_password
</code>
You will need to put in your domain name in place of your_domain, user name in place
of 'username_to_use' and password in place of 'your_nt_password'. Save the file after
editing.
</sect1>
<!-- Running NTLMAPS -->
<sect1>
<heading>Running NTLMAPS</heading>
<p>
Now simply run the file <file>main.py</file>, for example:
<code>
./main.py
</code>
Now the NTLMAPS server is listening.
</sect1>
<!-- Client Side Configuration -->
<sect1>
<heading>Client Side Configuration</heading>
<p>
In particular, we will use Netscape as an example here.
<itemize>
<item> Start Netscape Communicator.
<item> Click on Edit menu and click Preferences.
<item> Expand 'Advanced' node and click on 'Proxies'; you will see some options on the left.
<item> Click on Manual proxy configuration, then click on the View button.
<item> Put your local host's IP address (127.0.0.1) in the HTTP: box and port where NTLMAPS is listening (5865).
<item> Click on OK to confirm your changes.
<item> You will return back to Preferences dialog.
<item> Click on OK to apply your changes.
</itemize>
Load up a test url in your browser and you will see the web page loads successfully. If you use a different browser
then you will need to explore and see how you set it up to work with proxy.
</sect1>
</sect>
<sect>
<heading>Appendix</heading>
<sect1>
<heading>Appendix - A - Resources</heading>
<p> Microsoft Knowledge Base Article - 295667
<htmlurl url="http://support.microsoft.com/?kbid=295667"
name="http://support.microsoft.com/?kbid=295667">
<p> NTLM Authorization Proxy Server home page
<htmlurl name="http://ntlmaps.sourceforge.net/" url="http://ntlmaps.sourceforge.net/">
<p> Python Home Page
<htmlurl name="www.python.org" url="http://www.python.org">
</sect1>
<sect1>
<heading>Appendix - B - Acknowledgments </heading>
<p>
<itemize>
<item> Special thanks to Tabatha Persad (tabatha AT merlinmonroe DOT com) for reviewing and fixing the grammatical, structural, spelling and markup mistakes in this document.
<item> Thanks to Greg Ferguson (gferg AT sgi DOT com), Joy Goodreau (joyg AT us DOT ibm DOT com) for their guidance on submitting this document.
<item> Thanks to Faisal Khatri (fslkhatri AT hotmail DOT com) for verifying the information in this document.
</itemize>
</sect1>
</sect>
</article>
View Git Blame Copy Permalink