mirror of https://github.com/tLDP/LDP
350 lines
14 KiB
Plaintext
350 lines
14 KiB
Plaintext
<!DOCTYPE LINUXDOC SYSTEM>
|
|
|
|
<!--
|
|
Web Browsing behind ISA Server using linux based browsers.
|
|
-->
|
|
|
|
<!-- Title information -->
|
|
|
|
<article>
|
|
<titlepag>
|
|
<title>Web Browsing Behind ISA Server HOWTO</title>
|
|
<author>by Raheel Abdul Hameed (<tt/raheel at raheelhameed dot com/)</author>
|
|
<date>v1.0, April 2003 - Initial Release, reviewed by LDP</date>
|
|
<abstract>
|
|
If you are using a Linux box connected to a Windows-based ISA server, this article will
|
|
help you set things up so you can browse the web from your Linux
|
|
machine. I decided to write this article because I experienced similar issues, and
|
|
after some digging found some ways to web-enable my cute Linux machine. So here is this
|
|
article with the hope that you'll like it and find it useful. Any feedback will be
|
|
appreciated, especially in the patch form :)
|
|
</abstract>
|
|
</titlepag>
|
|
<!-- Table of contents -->
|
|
<toc>
|
|
|
|
<!-- Introduction -->
|
|
<sect>
|
|
<heading>Introduction</heading>
|
|
<p>
|
|
This section first discusses some legal matters, requisites, uses of this document and links where its latest version can be found.
|
|
|
|
<sect1>
|
|
<heading>Copyright</heading>
|
|
<p>
|
|
This document is Copyright (c) 2003 by Raheel Abdul Hameed
|
|
<p>
|
|
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
|
<p>
|
|
For the full text of the license, please visit
|
|
<url url="http://www.gnu.org/copyleft/fdl.html" name="GNU Free Documentation License">.
|
|
|
|
<sect1>
|
|
<heading>Disclaimer</heading>
|
|
<p>
|
|
Use the information in this document at your own risk. I disavow any
|
|
potential liability for the contents of this document. Use of the
|
|
concepts, examples, and/or other content of this document is entirely
|
|
at your own risk.
|
|
|
|
All copyrights are owned by their owners, unless specifically noted
|
|
otherwise. Use of a term in this document should not be regarded as
|
|
affecting the validity of any trademark or service mark.
|
|
|
|
Naming of particular products or brands should not be seen as endorsements.
|
|
|
|
You are strongly recommended to take a backup of your system before
|
|
major installation and backups at regular intervals.
|
|
|
|
<sect1>
|
|
<heading>Getting the latest version</heading>
|
|
<p>
|
|
The latest version of this document is available at
|
|
<htmlurl url="http://www.tldp.org/HOWTO/Web-Browsing-Behind-ISA-Server.html"
|
|
name="http://www.tldp.org/HOWTO/Web-Browsing-Behind-ISA-Server.html">
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<heading>Requisites</heading>
|
|
<p>
|
|
This document assumes that you are familiar with editing files using any
|
|
of your favorite text editors, as it talks about editing a configuration file.
|
|
Some familiarity with ISA server configuration is also favorable, but not necessary.
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<heading>Uses of this document</heading>
|
|
<p> This document tries to be useful in the following situations:
|
|
<itemize>
|
|
<item> You have a Windows machine running ISA Server as a proxy
|
|
that connects to internet.
|
|
<item> You have a Linux machine where you want to run your browser
|
|
to browse the web behind ISA Server proxy.
|
|
<item> You are sick of using Windows to browse the net.
|
|
<item> You are a complete nerd and read every HOWTO available.
|
|
</itemize>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<heading>Translations</heading>
|
|
<p> No translations done yet.
|
|
<!--
|
|
<p> Language: by ABC (user at domain)
|
|
<htmlurl name="is here" url="http://abc/dir">
|
|
-->
|
|
<p> If you made or have any information about any translation of this document,
|
|
please, email it to me so I update this section.
|
|
</sect1>
|
|
|
|
<!-- History goes here!
|
|
<sect1>
|
|
History
|
|
<p> History line 1.
|
|
</sect1>
|
|
-->
|
|
</sect>
|
|
|
|
<!-- ISA Server -->
|
|
<sect>
|
|
<heading>ISA Server</heading>
|
|
<p>
|
|
|
|
<!-- Few words on ISA Server -->
|
|
|
|
<sect1>
|
|
<heading>A few words on ISA Server</heading>
|
|
<p>
|
|
ISA Server provides many important networking functions that include Firewalling,
|
|
Web-cache, Policy-based Administration, Dynamic IP Filtering, VPN Support, Intrusion
|
|
Detection, NAT and reporting. While being a robust solution for Windows-based clients,
|
|
its a pain for Linux users because most of the Linux-based browsers do not
|
|
appear to be working behind it. The term 'appear to be' is used because there are some
|
|
known workouts for this.
|
|
</sect1>
|
|
|
|
<!-- Why it doesn't work? -->
|
|
<sect1>
|
|
<heading>Why doesn't it work?</heading>
|
|
<p>
|
|
While running Windows-based clients behind ISA Server, have you noticed that normally
|
|
you could browse using only Internet Explorer, and not using other browsers like
|
|
Netscape? This is because ISA server uses an authentication mechanism it
|
|
calls 'Integrated Authentication.' When Internet Explorer contacts ISA server to
|
|
request a page, along with every request it sends a hash that the server uses to
|
|
authenticate you as a legitimate domain user [You can verify this fact by sniffing
|
|
some packets while you browse, just check the request header that your browser
|
|
sends to the ISA server]. This authentication method is not supported by other
|
|
browsers, which is why it renders most of the browsers useless.
|
|
</p>
|
|
<p>
|
|
The following sections will tell you about two methods to enable your Linux-based
|
|
browser to browse the net.
|
|
</sect1>
|
|
|
|
</sect>
|
|
|
|
<!-- Method #1 - Enable Basic Authentication -->
|
|
<sect>
|
|
<heading>Method #1 - Enable Basic Authentication</heading>
|
|
<p>
|
|
As mentioned above, due to Integrated Authentication support configured on ISA
|
|
server, third party browsers do not work behind it. In this situation you can make use of
|
|
another authentication scheme called 'Basic Authentication', commonly supported by
|
|
most browsers and most importantly by ISA Server too. If you work in a security
|
|
conscious environment this method is not recommended since during basic
|
|
authentication, the username and password sent are loosely encrypted.
|
|
</p>
|
|
<p>
|
|
The point here is that to proceed with this method you will have to make sure that you
|
|
have legitimate access over configuring the ISA Server. If you cannot access the server
|
|
configuration console, then move on to the second method in the following section.
|
|
|
|
<!-- Server Side Configuration -->
|
|
<sect1>
|
|
<heading>Server Side Configuration</heading>
|
|
<p>
|
|
All you need to do is fire up 'ISA Management' and follow these steps:
|
|
<enum>
|
|
<item> Right-click your server and click on Properties.
|
|
<item> Go to the Outgoing Web Requests tab, click the configured listener that you want to change, and then click Edit.
|
|
<item> Click Basic authentication, and then select the domain in which the accounts exist that you want to authenticate.
|
|
<item> Now it's time to move on to your Linux-based browser.
|
|
</enum>
|
|
</sect1>
|
|
|
|
<!-- Client Side Configuration -->
|
|
<sect1>
|
|
<heading>Client Side Configuration</heading>
|
|
<p>
|
|
In particular, we will take Netscape as an example here.
|
|
|
|
<enum>
|
|
<item> Start Netscape Communicator.
|
|
<item> Click on the Edit menu and click Preferences.
|
|
<item> Expand 'Advanced' node and click on 'Proxies'; you will see some options on the left.
|
|
<item> Click on Manual proxy configuration, then click on the View button.
|
|
<item> Put your ISA Server's IP address in the HTTP: box and the port where web cache is listening (usually 8080, depends what you set).
|
|
<item> Click on OK to confirm your changes.
|
|
<item> You will return back to the Preferences dialog.
|
|
<item> Click on OK to apply your changes.
|
|
</enum>
|
|
|
|
Load up a test url in your browser, it will ask you for authentication information,
|
|
In place of user, type DOMAIN\USER, where your DOMAIN being the Windows domain,
|
|
and USER being a legitimate domain user. In place of password, type the
|
|
user's password. Click on OK to continue. For example:
|
|
|
|
<code>
|
|
User: CABLENET\Raheel
|
|
Password: Mypassword
|
|
|
|
Where CABLENET is my domain, Raheel is the user id
|
|
and Mypassword is my password.
|
|
</code>
|
|
|
|
You should now see the page loading successfully. If you use a different browser
|
|
you will need to explore and see if it supports Basic Authentication.
|
|
|
|
</sect1>
|
|
</sect>
|
|
|
|
<!-- Method #2 - NTLM Authorization Proxy Server -->
|
|
<sect>
|
|
<heading>Method #2 - NTLM Authorization Proxy Server</heading>
|
|
<p>
|
|
NTLM Authorization Proxy Server is proxy server-like software that just provides NTLM
|
|
authentication in between your browser and ISA Server, and makes the server believe
|
|
it's talking to Internet Explorer. It does this by adding NTLM authorization strings to the
|
|
request headers. It is written in the Python language by Dmitry Rozmanov [nice work
|
|
dude!]. See <htmlurl name="www.python.org" url="http://www.python.org">.
|
|
Most linux distributions come bundled with a Python interpreter.
|
|
|
|
<!-- Getting NTLMAPS -->
|
|
<sect1>
|
|
<heading>Getting NTLMAPS</heading>
|
|
<p>
|
|
The NTLMAPS project home page is located at <htmlurl name="http://ntlmaps.sourceforge.net/" url="http://ntlmaps.sourceforge.net/">.
|
|
You can directly go to the download page at <htmlurl name="http://sourceforge.net/project/showfiles.php?group_id=69259" url="http://sourceforge.net/project/showfiles.php?group_id=69259">. The recent version at the time of writing this document is 0.9.8.
|
|
</sect1>
|
|
|
|
<!-- Installing NTLMAPS -->
|
|
<sect1>
|
|
<heading>Installing NTLMAPS</heading>
|
|
<p>
|
|
Once you have downloaded NTLMAPS, you can extract it into the directory of your choice:
|
|
|
|
<code>
|
|
tar xzvf apsxxx.tar.gz
|
|
cd apsxxx
|
|
|
|
where 'xxx' is the version number.
|
|
</code>
|
|
</sect1>
|
|
|
|
<!-- Quick Configuration -->
|
|
<sect1>
|
|
<heading>Quick Configuration</heading>
|
|
<p>
|
|
Load up <file>server.cfg</file> in your favorite editor. Locate the lines:
|
|
|
|
<code>
|
|
LISTEN_PORT:5865
|
|
|
|
# If you want APS to authenticate you at WWW servers using NTLM then just leave this
|
|
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
|
|
# And NOTE that NTLM cannot pass through another proxy server.
|
|
PARENT_PROXY:your_parentproxy
|
|
|
|
PARENT_PROXY_PORT:8080
|
|
</code>
|
|
|
|
By default, NTLMAPS listens on port 5865. You can change it to any port number of
|
|
your choice. You need to replace 'your_parentproxy' with the IP address of your
|
|
ISA Server. Put ISA Server's web cache port in PARENT_PROXY_PORT.
|
|
|
|
<p>
|
|
Now, locate the lines:
|
|
|
|
<code>
|
|
# Windows Domain.
|
|
# NOTE: it is not full qualified internet domain, but windows network domain.
|
|
NT_DOMAIN:your_domain
|
|
|
|
# What user's name to use during authorization. It may differ form real current username.
|
|
USER:username_to_use
|
|
|
|
# Password. Just leave it blank here and server will request it at the start time.
|
|
PASSWORD:your_nt_password
|
|
</code>
|
|
|
|
You will need to put in your domain name in place of your_domain, user name in place
|
|
of 'username_to_use' and password in place of 'your_nt_password'. Save the file after
|
|
editing.
|
|
|
|
</sect1>
|
|
|
|
<!-- Running NTLMAPS -->
|
|
<sect1>
|
|
<heading>Running NTLMAPS</heading>
|
|
<p>
|
|
Now simply run the file <file>main.py</file>, for example:
|
|
|
|
<code>
|
|
./main.py
|
|
</code>
|
|
|
|
Now the NTLMAPS server is listening.
|
|
</sect1>
|
|
|
|
<!-- Client Side Configuration -->
|
|
<sect1>
|
|
<heading>Client Side Configuration</heading>
|
|
<p>
|
|
In particular, we will use Netscape as an example here.
|
|
|
|
<itemize>
|
|
<item> Start Netscape Communicator.
|
|
<item> Click on Edit menu and click Preferences.
|
|
<item> Expand 'Advanced' node and click on 'Proxies'; you will see some options on the left.
|
|
<item> Click on Manual proxy configuration, then click on the View button.
|
|
<item> Put your local host's IP address (127.0.0.1) in the HTTP: box and port where NTLMAPS is listening (5865).
|
|
<item> Click on OK to confirm your changes.
|
|
<item> You will return back to Preferences dialog.
|
|
<item> Click on OK to apply your changes.
|
|
</itemize>
|
|
|
|
Load up a test url in your browser and you will see the web page loads successfully. If you use a different browser
|
|
then you will need to explore and see how you set it up to work with proxy.
|
|
</sect1>
|
|
</sect>
|
|
|
|
<sect>
|
|
<heading>Appendix</heading>
|
|
|
|
<sect1>
|
|
<heading>Appendix - A - Resources</heading>
|
|
<p> Microsoft Knowledge Base Article - 295667
|
|
|
|
<htmlurl url="http://support.microsoft.com/?kbid=295667"
|
|
name="http://support.microsoft.com/?kbid=295667">
|
|
|
|
<p> NTLM Authorization Proxy Server home page
|
|
<htmlurl name="http://ntlmaps.sourceforge.net/" url="http://ntlmaps.sourceforge.net/">
|
|
|
|
<p> Python Home Page
|
|
<htmlurl name="www.python.org" url="http://www.python.org">
|
|
</sect1>
|
|
<sect1>
|
|
<heading>Appendix - B - Acknowledgments </heading>
|
|
<p>
|
|
<itemize>
|
|
<item> Special thanks to Tabatha Persad (tabatha AT merlinmonroe DOT com) for reviewing and fixing the grammatical, structural, spelling and markup mistakes in this document.
|
|
<item> Thanks to Greg Ferguson (gferg AT sgi DOT com), Joy Goodreau (joyg AT us DOT ibm DOT com) for their guidance on submitting this document.
|
|
<item> Thanks to Faisal Khatri (fslkhatri AT hotmail DOT com) for verifying the information in this document.
|
|
</itemize>
|
|
</sect1>
|
|
</sect>
|
|
|
|
</article>
|
|
|