383 lines
12 KiB
Plaintext
383 lines
12 KiB
Plaintext
|
Web Browsing Behind ISA Server HOWTO
|
|||
|
by Raheel Abdul Hameed (raheel at raheelhameed dot com)
|
|||
|
v1.0, April 2003
|
|||
|
|
|||
|
If you are using a Linux box connected to a Windows-based ISA server,
|
|||
|
this article will help you set things up so you can browse the web
|
|||
|
from your Linux machine. I decided to write this article because I
|
|||
|
experienced similar issues, and after some digging found some ways to
|
|||
|
web-enable my cute Linux machine. So here is this article with the
|
|||
|
hope that you'll like it and find it useful. Any feedback will be
|
|||
|
appreciated, especially in the patch form :)
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
1.1 Copyright
|
|||
|
1.2 Disclaimer
|
|||
|
1.3 Getting the latest version
|
|||
|
1.4 Requisites
|
|||
|
1.5 Uses of this document
|
|||
|
1.6 Translations
|
|||
|
|
|||
|
2. ISA Server
|
|||
|
|
|||
|
2.1 A few words on ISA Server
|
|||
|
2.2 Why doesn't it work?
|
|||
|
|
|||
|
3. Method #1 - Enable Basic Authentication
|
|||
|
|
|||
|
3.1 Server Side Configuration
|
|||
|
3.2 Client Side Configuration
|
|||
|
|
|||
|
4. Method #2 - NTLM Authorization Proxy Server
|
|||
|
|
|||
|
4.1 Getting NTLMAPS
|
|||
|
4.2 Installing NTLMAPS
|
|||
|
4.3 Quick Configuration
|
|||
|
4.4 Running NTLMAPS
|
|||
|
4.5 Client Side Configuration
|
|||
|
|
|||
|
5. Appendix
|
|||
|
|
|||
|
5.1 Appendix - A - Resources
|
|||
|
5.2 Appendix - B - Acknowledgments
|
|||
|
|
|||
|
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
This section first discusses some legal matters, requisites, uses of
|
|||
|
this document and links where its latest version can be found.
|
|||
|
|
|||
|
|
|||
|
1.1. Copyright
|
|||
|
|
|||
|
This document is Copyright (c) 2003 by Raheel Abdul Hameed
|
|||
|
|
|||
|
Permission is granted to copy, distribute and/or modify this document
|
|||
|
under the terms of the GNU Free Documentation License, Version 1.2 or
|
|||
|
any later version published by the Free Software Foundation; with no
|
|||
|
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
|||
|
|
|||
|
For the full text of the license, please visit GNU Free Documentation
|
|||
|
License <http://www.gnu.org/copyleft/fdl.html>.
|
|||
|
|
|||
|
|
|||
|
1.2. Disclaimer
|
|||
|
|
|||
|
Use the information in this document at your own risk. I disavow any
|
|||
|
potential liability for the contents of this document. Use of the
|
|||
|
concepts, examples, and/or other content of this document is entirely
|
|||
|
at your own risk.
|
|||
|
|
|||
|
All copyrights are owned by their owners, unless specifically noted
|
|||
|
otherwise. Use of a term in this document should not be regarded as
|
|||
|
affecting the validity of any trademark or service mark.
|
|||
|
|
|||
|
Naming of particular products or brands should not be seen as
|
|||
|
endorsements.
|
|||
|
|
|||
|
You are strongly recommended to take a backup of your system before
|
|||
|
major installation and backups at regular intervals.
|
|||
|
|
|||
|
|
|||
|
1.3. Getting the latest version
|
|||
|
|
|||
|
The latest version of this document is available at
|
|||
|
http://www.tldp.org/HOWTO/Web-Browsing-Behind-ISA-Server.html
|
|||
|
|
|||
|
1.4. Requisites
|
|||
|
|
|||
|
|
|||
|
This document assumes that you are familiar with editing files using
|
|||
|
any of your favorite text editors, as it talks about editing a
|
|||
|
configuration file. Some familiarity with ISA server configuration is
|
|||
|
also favorable, but not necessary.
|
|||
|
|
|||
|
1.5. Uses of this document
|
|||
|
|
|||
|
This document tries to be useful in the following situations:
|
|||
|
|
|||
|
<20> You have a Windows machine running ISA Server as a proxy that
|
|||
|
connects to internet.
|
|||
|
|
|||
|
<20> You have a Linux machine where you want to run your browser to
|
|||
|
browse the web behind ISA Server proxy.
|
|||
|
|
|||
|
<20> You are sick of using Windows to browse the net.
|
|||
|
|
|||
|
<20> You are a complete nerd and read every HOWTO available.
|
|||
|
|
|||
|
1.6. Translations
|
|||
|
|
|||
|
No translations done yet.
|
|||
|
|
|||
|
If you made or have any information about any translation of this
|
|||
|
document, please, email it to me so I update this section.
|
|||
|
|
|||
|
2. ISA Server
|
|||
|
|
|||
|
|
|||
|
|
|||
|
2.1. A few words on ISA Server
|
|||
|
|
|||
|
ISA Server provides many important networking functions that include
|
|||
|
Firewalling, Web-cache, Policy-based Administration, Dynamic IP
|
|||
|
Filtering, VPN Support, Intrusion Detection, NAT and reporting. While
|
|||
|
being a robust solution for Windows-based clients, its a pain for
|
|||
|
Linux users because most of the Linux-based browsers do not appear to
|
|||
|
be working behind it. The term 'appear to be' is used because there
|
|||
|
are some known workouts for this.
|
|||
|
|
|||
|
2.2. Why doesn't it work?
|
|||
|
|
|||
|
While running Windows-based clients behind ISA Server, have you
|
|||
|
noticed that normally you could browse using only Internet Explorer,
|
|||
|
and not using other browsers like Netscape? This is because ISA server
|
|||
|
uses an authentication mechanism it calls 'Integrated Authentication.'
|
|||
|
When Internet Explorer contacts ISA server to request a page, along
|
|||
|
with every request it sends a hash that the server uses to
|
|||
|
authenticate you as a legitimate domain user [You can verify this fact
|
|||
|
by sniffing some packets while you browse, just check the request
|
|||
|
header that your browser sends to the ISA server]. This authentication
|
|||
|
method is not supported by other browsers, which is why it renders
|
|||
|
most of the browsers useless.
|
|||
|
|
|||
|
The following sections will tell you about two methods to enable your
|
|||
|
Linux-based browser to browse the net.
|
|||
|
|
|||
|
3. Method #1 - Enable Basic Authentication
|
|||
|
|
|||
|
As mentioned above, due to Integrated Authentication support
|
|||
|
configured on ISA server, third party browsers do not work behind it.
|
|||
|
In this situation you can make use of another authentication scheme
|
|||
|
called 'Basic Authentication', commonly supported by most browsers and
|
|||
|
most importantly by ISA Server too. If you work in a security
|
|||
|
conscious environment this method is not recommended since during
|
|||
|
basic authentication, the username and password sent are loosely
|
|||
|
encrypted.
|
|||
|
|
|||
|
The point here is that to proceed with this method you will have to
|
|||
|
make sure that you have legitimate access over configuring the ISA
|
|||
|
Server. If you cannot access the server configuration console, then
|
|||
|
move on to the second method in the following section.
|
|||
|
|
|||
|
|
|||
|
3.1. Server Side Configuration
|
|||
|
|
|||
|
All you need to do is fire up 'ISA Management' and follow these steps:
|
|||
|
|
|||
|
1. Right-click your server and click on Properties.
|
|||
|
|
|||
|
2. Go to the Outgoing Web Requests tab, click the configured listener
|
|||
|
that you want to change, and then click Edit.
|
|||
|
|
|||
|
3. Click Basic authentication, and then select the domain in which the
|
|||
|
accounts exist that you want to authenticate.
|
|||
|
|
|||
|
4. Now it's time to move on to your Linux-based browser.
|
|||
|
|
|||
|
3.2. Client Side Configuration
|
|||
|
|
|||
|
In particular, we will take Netscape as an example here.
|
|||
|
|
|||
|
|
|||
|
1. Start Netscape Communicator.
|
|||
|
|
|||
|
2. Click on the Edit menu and click Preferences.
|
|||
|
|
|||
|
3. Expand 'Advanced' node and click on 'Proxies'; you will see some
|
|||
|
options on the left.
|
|||
|
|
|||
|
|
|||
|
4. Click on Manual proxy configuration, then click on the View button.
|
|||
|
|
|||
|
5. Put your ISA Server's IP address in the HTTP: box and the port
|
|||
|
where web cache is listening (usually 8080, depends what you set).
|
|||
|
|
|||
|
6. Click on OK to confirm your changes.
|
|||
|
|
|||
|
7. You will return back to the Preferences dialog.
|
|||
|
|
|||
|
8. Click on OK to apply your changes.
|
|||
|
|
|||
|
Load up a test url in your browser, it will ask you for authentication
|
|||
|
information, In place of user, type DOMAIN\USER, where your DOMAIN
|
|||
|
being the Windows domain, and USER being a legitimate domain user. In
|
|||
|
place of password, type the user's password. Click on OK to continue.
|
|||
|
For example:
|
|||
|
|
|||
|
|
|||
|
______________________________________________________________________
|
|||
|
User: CABLENET\Raheel
|
|||
|
Password: Mypassword
|
|||
|
|
|||
|
Where CABLENET is my domain, Raheel is the user id
|
|||
|
and Mypassword is my password.
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
|
|||
|
|
|||
|
You should now see the page loading successfully. If you use a
|
|||
|
different browser you will need to explore and see if it supports
|
|||
|
Basic Authentication.
|
|||
|
|
|||
|
|
|||
|
4. Method #2 - NTLM Authorization Proxy Server
|
|||
|
|
|||
|
NTLM Authorization Proxy Server is proxy server-like software that
|
|||
|
just provides NTLM authentication in between your browser and ISA
|
|||
|
Server, and makes the server believe it's talking to Internet
|
|||
|
Explorer. It does this by adding NTLM authorization strings to the
|
|||
|
request headers. It is written in the Python language by Dmitry
|
|||
|
Rozmanov [nice work dude!]. See www.python.org. Most linux
|
|||
|
distributions come bundled with a Python interpreter.
|
|||
|
|
|||
|
|
|||
|
4.1. Getting NTLMAPS
|
|||
|
|
|||
|
The NTLMAPS project home page is located at
|
|||
|
http://ntlmaps.sourceforge.net/. You can directly go to the download
|
|||
|
page at http://sourceforge.net/project/showfiles.php?group_id=69259.
|
|||
|
The recent version at the time of writing this document is 0.9.8.
|
|||
|
|
|||
|
4.2. Installing NTLMAPS
|
|||
|
|
|||
|
Once you have downloaded NTLMAPS, you can extract it into the
|
|||
|
directory of your choice:
|
|||
|
|
|||
|
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
tar xzvf apsxxx.tar.gz
|
|||
|
cd apsxxx
|
|||
|
|
|||
|
where 'xxx' is the version number.
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
|
|||
|
4.3. Quick Configuration
|
|||
|
|
|||
|
Load up server.cfg in your favorite editor. Locate the lines:
|
|||
|
|
|||
|
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
LISTEN_PORT:5865
|
|||
|
|
|||
|
# If you want APS to authenticate you at WWW servers using NTLM then just leave this
|
|||
|
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
|
|||
|
# And NOTE that NTLM cannot pass through another proxy server.
|
|||
|
PARENT_PROXY:your_parentproxy
|
|||
|
|
|||
|
PARENT_PROXY_PORT:8080
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
|
|||
|
|
|||
|
By default, NTLMAPS listens on port 5865. You can change it to any
|
|||
|
port number of your choice. You need to replace 'your_parentproxy'
|
|||
|
with the IP address of your ISA Server. Put ISA Server's web cache
|
|||
|
port in PARENT_PROXY_PORT.
|
|||
|
|
|||
|
|
|||
|
Now, locate the lines:
|
|||
|
|
|||
|
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
# Windows Domain.
|
|||
|
# NOTE: it is not full qualified internet domain, but windows network domain.
|
|||
|
NT_DOMAIN:your_domain
|
|||
|
|
|||
|
# What user's name to use during authorization. It may differ form real current username.
|
|||
|
USER:username_to_use
|
|||
|
|
|||
|
# Password. Just leave it blank here and server will request it at the start time.
|
|||
|
PASSWORD:your_nt_password
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
|
|||
|
|
|||
|
You will need to put in your domain name in place of your_domain, user
|
|||
|
name in place of 'username_to_use' and password in place of
|
|||
|
'your_nt_password'. Save the file after editing.
|
|||
|
|
|||
|
|
|||
|
4.4. Running NTLMAPS
|
|||
|
|
|||
|
Now simply run the file main.py, for example:
|
|||
|
|
|||
|
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
./main.py
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Now the NTLMAPS server is listening.
|
|||
|
|
|||
|
4.5. Client Side Configuration
|
|||
|
|
|||
|
In particular, we will use Netscape as an example here.
|
|||
|
|
|||
|
<20> Start Netscape Communicator.
|
|||
|
|
|||
|
<20> Click on Edit menu and click Preferences.
|
|||
|
|
|||
|
<20> Expand 'Advanced' node and click on 'Proxies'; you will see some
|
|||
|
options on the left.
|
|||
|
|
|||
|
<20> Click on Manual proxy configuration, then click on the View button.
|
|||
|
|
|||
|
<20> Put your local host's IP address (127.0.0.1) in the HTTP: box and
|
|||
|
port where NTLMAPS is listening (5865).
|
|||
|
|
|||
|
<20> Click on OK to confirm your changes.
|
|||
|
|
|||
|
<20> You will return back to Preferences dialog.
|
|||
|
|
|||
|
<20> Click on OK to apply your changes.
|
|||
|
|
|||
|
Load up a test url in your browser and you will see the web page loads
|
|||
|
successfully. If you use a different browser then you will need to
|
|||
|
explore and see how you set it up to work with proxy.
|
|||
|
|
|||
|
5. Appendix
|
|||
|
|
|||
|
5.1. Appendix - A - Resources
|
|||
|
|
|||
|
Microsoft Knowledge Base Article - 295667
|
|||
|
|
|||
|
http://support.microsoft.com/?kbid=295667
|
|||
|
|
|||
|
|
|||
|
NTLM Authorization Proxy Server home page
|
|||
|
http://ntlmaps.sourceforge.net/
|
|||
|
|
|||
|
|
|||
|
Python Home Page www.python.org
|
|||
|
|
|||
|
5.2. Appendix - B - Acknowledgments
|
|||
|
|
|||
|
|
|||
|
<20> Special thanks to Tabatha Persad (tabatha AT merlinmonroe DOT com)
|
|||
|
for reviewing and fixing the grammatical, structural, spelling and
|
|||
|
markup mistakes in this document.
|
|||
|
|
|||
|
<20> Thanks to Greg Ferguson (gferg AT sgi DOT com), Joy Goodreau (joyg
|
|||
|
AT us DOT ibm DOT com) for their guidance on submitting this
|
|||
|
document.
|
|||
|
|
|||
|
<20> Thanks to Faisal Khatri (fslkhatri AT hotmail DOT com) for
|
|||
|
verifying the information in this document.
|
|||
|
|
|||
|
|
|||
|
|