383 lines
12 KiB
Plaintext
383 lines
12 KiB
Plaintext
Web Browsing Behind ISA Server HOWTO
|
||
by Raheel Abdul Hameed (raheel at raheelhameed dot com)
|
||
v1.0, April 2003
|
||
|
||
If you are using a Linux box connected to a Windows-based ISA server,
|
||
this article will help you set things up so you can browse the web
|
||
from your Linux machine. I decided to write this article because I
|
||
experienced similar issues, and after some digging found some ways to
|
||
web-enable my cute Linux machine. So here is this article with the
|
||
hope that you'll like it and find it useful. Any feedback will be
|
||
appreciated, especially in the patch form :)
|
||
______________________________________________________________________
|
||
|
||
Table of Contents
|
||
|
||
|
||
1. Introduction
|
||
|
||
1.1 Copyright
|
||
1.2 Disclaimer
|
||
1.3 Getting the latest version
|
||
1.4 Requisites
|
||
1.5 Uses of this document
|
||
1.6 Translations
|
||
|
||
2. ISA Server
|
||
|
||
2.1 A few words on ISA Server
|
||
2.2 Why doesn't it work?
|
||
|
||
3. Method #1 - Enable Basic Authentication
|
||
|
||
3.1 Server Side Configuration
|
||
3.2 Client Side Configuration
|
||
|
||
4. Method #2 - NTLM Authorization Proxy Server
|
||
|
||
4.1 Getting NTLMAPS
|
||
4.2 Installing NTLMAPS
|
||
4.3 Quick Configuration
|
||
4.4 Running NTLMAPS
|
||
4.5 Client Side Configuration
|
||
|
||
5. Appendix
|
||
|
||
5.1 Appendix - A - Resources
|
||
5.2 Appendix - B - Acknowledgments
|
||
|
||
|
||
______________________________________________________________________
|
||
|
||
1. Introduction
|
||
|
||
This section first discusses some legal matters, requisites, uses of
|
||
this document and links where its latest version can be found.
|
||
|
||
|
||
1.1. Copyright
|
||
|
||
This document is Copyright (c) 2003 by Raheel Abdul Hameed
|
||
|
||
Permission is granted to copy, distribute and/or modify this document
|
||
under the terms of the GNU Free Documentation License, Version 1.2 or
|
||
any later version published by the Free Software Foundation; with no
|
||
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
||
|
||
For the full text of the license, please visit GNU Free Documentation
|
||
License <http://www.gnu.org/copyleft/fdl.html>.
|
||
|
||
|
||
1.2. Disclaimer
|
||
|
||
Use the information in this document at your own risk. I disavow any
|
||
potential liability for the contents of this document. Use of the
|
||
concepts, examples, and/or other content of this document is entirely
|
||
at your own risk.
|
||
|
||
All copyrights are owned by their owners, unless specifically noted
|
||
otherwise. Use of a term in this document should not be regarded as
|
||
affecting the validity of any trademark or service mark.
|
||
|
||
Naming of particular products or brands should not be seen as
|
||
endorsements.
|
||
|
||
You are strongly recommended to take a backup of your system before
|
||
major installation and backups at regular intervals.
|
||
|
||
|
||
1.3. Getting the latest version
|
||
|
||
The latest version of this document is available at
|
||
http://www.tldp.org/HOWTO/Web-Browsing-Behind-ISA-Server.html
|
||
|
||
1.4. Requisites
|
||
|
||
|
||
This document assumes that you are familiar with editing files using
|
||
any of your favorite text editors, as it talks about editing a
|
||
configuration file. Some familiarity with ISA server configuration is
|
||
also favorable, but not necessary.
|
||
|
||
1.5. Uses of this document
|
||
|
||
This document tries to be useful in the following situations:
|
||
|
||
<20> You have a Windows machine running ISA Server as a proxy that
|
||
connects to internet.
|
||
|
||
<20> You have a Linux machine where you want to run your browser to
|
||
browse the web behind ISA Server proxy.
|
||
|
||
<20> You are sick of using Windows to browse the net.
|
||
|
||
<20> You are a complete nerd and read every HOWTO available.
|
||
|
||
1.6. Translations
|
||
|
||
No translations done yet.
|
||
|
||
If you made or have any information about any translation of this
|
||
document, please, email it to me so I update this section.
|
||
|
||
2. ISA Server
|
||
|
||
|
||
|
||
2.1. A few words on ISA Server
|
||
|
||
ISA Server provides many important networking functions that include
|
||
Firewalling, Web-cache, Policy-based Administration, Dynamic IP
|
||
Filtering, VPN Support, Intrusion Detection, NAT and reporting. While
|
||
being a robust solution for Windows-based clients, its a pain for
|
||
Linux users because most of the Linux-based browsers do not appear to
|
||
be working behind it. The term 'appear to be' is used because there
|
||
are some known workouts for this.
|
||
|
||
2.2. Why doesn't it work?
|
||
|
||
While running Windows-based clients behind ISA Server, have you
|
||
noticed that normally you could browse using only Internet Explorer,
|
||
and not using other browsers like Netscape? This is because ISA server
|
||
uses an authentication mechanism it calls 'Integrated Authentication.'
|
||
When Internet Explorer contacts ISA server to request a page, along
|
||
with every request it sends a hash that the server uses to
|
||
authenticate you as a legitimate domain user [You can verify this fact
|
||
by sniffing some packets while you browse, just check the request
|
||
header that your browser sends to the ISA server]. This authentication
|
||
method is not supported by other browsers, which is why it renders
|
||
most of the browsers useless.
|
||
|
||
The following sections will tell you about two methods to enable your
|
||
Linux-based browser to browse the net.
|
||
|
||
3. Method #1 - Enable Basic Authentication
|
||
|
||
As mentioned above, due to Integrated Authentication support
|
||
configured on ISA server, third party browsers do not work behind it.
|
||
In this situation you can make use of another authentication scheme
|
||
called 'Basic Authentication', commonly supported by most browsers and
|
||
most importantly by ISA Server too. If you work in a security
|
||
conscious environment this method is not recommended since during
|
||
basic authentication, the username and password sent are loosely
|
||
encrypted.
|
||
|
||
The point here is that to proceed with this method you will have to
|
||
make sure that you have legitimate access over configuring the ISA
|
||
Server. If you cannot access the server configuration console, then
|
||
move on to the second method in the following section.
|
||
|
||
|
||
3.1. Server Side Configuration
|
||
|
||
All you need to do is fire up 'ISA Management' and follow these steps:
|
||
|
||
1. Right-click your server and click on Properties.
|
||
|
||
2. Go to the Outgoing Web Requests tab, click the configured listener
|
||
that you want to change, and then click Edit.
|
||
|
||
3. Click Basic authentication, and then select the domain in which the
|
||
accounts exist that you want to authenticate.
|
||
|
||
4. Now it's time to move on to your Linux-based browser.
|
||
|
||
3.2. Client Side Configuration
|
||
|
||
In particular, we will take Netscape as an example here.
|
||
|
||
|
||
1. Start Netscape Communicator.
|
||
|
||
2. Click on the Edit menu and click Preferences.
|
||
|
||
3. Expand 'Advanced' node and click on 'Proxies'; you will see some
|
||
options on the left.
|
||
|
||
|
||
4. Click on Manual proxy configuration, then click on the View button.
|
||
|
||
5. Put your ISA Server's IP address in the HTTP: box and the port
|
||
where web cache is listening (usually 8080, depends what you set).
|
||
|
||
6. Click on OK to confirm your changes.
|
||
|
||
7. You will return back to the Preferences dialog.
|
||
|
||
8. Click on OK to apply your changes.
|
||
|
||
Load up a test url in your browser, it will ask you for authentication
|
||
information, In place of user, type DOMAIN\USER, where your DOMAIN
|
||
being the Windows domain, and USER being a legitimate domain user. In
|
||
place of password, type the user's password. Click on OK to continue.
|
||
For example:
|
||
|
||
|
||
______________________________________________________________________
|
||
User: CABLENET\Raheel
|
||
Password: Mypassword
|
||
|
||
Where CABLENET is my domain, Raheel is the user id
|
||
and Mypassword is my password.
|
||
______________________________________________________________________
|
||
|
||
|
||
|
||
You should now see the page loading successfully. If you use a
|
||
different browser you will need to explore and see if it supports
|
||
Basic Authentication.
|
||
|
||
|
||
4. Method #2 - NTLM Authorization Proxy Server
|
||
|
||
NTLM Authorization Proxy Server is proxy server-like software that
|
||
just provides NTLM authentication in between your browser and ISA
|
||
Server, and makes the server believe it's talking to Internet
|
||
Explorer. It does this by adding NTLM authorization strings to the
|
||
request headers. It is written in the Python language by Dmitry
|
||
Rozmanov [nice work dude!]. See www.python.org. Most linux
|
||
distributions come bundled with a Python interpreter.
|
||
|
||
|
||
4.1. Getting NTLMAPS
|
||
|
||
The NTLMAPS project home page is located at
|
||
http://ntlmaps.sourceforge.net/. You can directly go to the download
|
||
page at http://sourceforge.net/project/showfiles.php?group_id=69259.
|
||
The recent version at the time of writing this document is 0.9.8.
|
||
|
||
4.2. Installing NTLMAPS
|
||
|
||
Once you have downloaded NTLMAPS, you can extract it into the
|
||
directory of your choice:
|
||
|
||
|
||
______________________________________________________________________
|
||
|
||
tar xzvf apsxxx.tar.gz
|
||
cd apsxxx
|
||
|
||
where 'xxx' is the version number.
|
||
______________________________________________________________________
|
||
|
||
|
||
4.3. Quick Configuration
|
||
|
||
Load up server.cfg in your favorite editor. Locate the lines:
|
||
|
||
|
||
______________________________________________________________________
|
||
|
||
LISTEN_PORT:5865
|
||
|
||
# If you want APS to authenticate you at WWW servers using NTLM then just leave this
|
||
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
|
||
# And NOTE that NTLM cannot pass through another proxy server.
|
||
PARENT_PROXY:your_parentproxy
|
||
|
||
PARENT_PROXY_PORT:8080
|
||
______________________________________________________________________
|
||
|
||
|
||
|
||
By default, NTLMAPS listens on port 5865. You can change it to any
|
||
port number of your choice. You need to replace 'your_parentproxy'
|
||
with the IP address of your ISA Server. Put ISA Server's web cache
|
||
port in PARENT_PROXY_PORT.
|
||
|
||
|
||
Now, locate the lines:
|
||
|
||
|
||
______________________________________________________________________
|
||
|
||
# Windows Domain.
|
||
# NOTE: it is not full qualified internet domain, but windows network domain.
|
||
NT_DOMAIN:your_domain
|
||
|
||
# What user's name to use during authorization. It may differ form real current username.
|
||
USER:username_to_use
|
||
|
||
# Password. Just leave it blank here and server will request it at the start time.
|
||
PASSWORD:your_nt_password
|
||
______________________________________________________________________
|
||
|
||
|
||
|
||
You will need to put in your domain name in place of your_domain, user
|
||
name in place of 'username_to_use' and password in place of
|
||
'your_nt_password'. Save the file after editing.
|
||
|
||
|
||
4.4. Running NTLMAPS
|
||
|
||
Now simply run the file main.py, for example:
|
||
|
||
|
||
______________________________________________________________________
|
||
|
||
./main.py
|
||
______________________________________________________________________
|
||
|
||
|
||
|
||
Now the NTLMAPS server is listening.
|
||
|
||
4.5. Client Side Configuration
|
||
|
||
In particular, we will use Netscape as an example here.
|
||
|
||
<20> Start Netscape Communicator.
|
||
|
||
<20> Click on Edit menu and click Preferences.
|
||
|
||
<20> Expand 'Advanced' node and click on 'Proxies'; you will see some
|
||
options on the left.
|
||
|
||
<20> Click on Manual proxy configuration, then click on the View button.
|
||
|
||
<20> Put your local host's IP address (127.0.0.1) in the HTTP: box and
|
||
port where NTLMAPS is listening (5865).
|
||
|
||
<20> Click on OK to confirm your changes.
|
||
|
||
<20> You will return back to Preferences dialog.
|
||
|
||
<20> Click on OK to apply your changes.
|
||
|
||
Load up a test url in your browser and you will see the web page loads
|
||
successfully. If you use a different browser then you will need to
|
||
explore and see how you set it up to work with proxy.
|
||
|
||
5. Appendix
|
||
|
||
5.1. Appendix - A - Resources
|
||
|
||
Microsoft Knowledge Base Article - 295667
|
||
|
||
http://support.microsoft.com/?kbid=295667
|
||
|
||
|
||
NTLM Authorization Proxy Server home page
|
||
http://ntlmaps.sourceforge.net/
|
||
|
||
|
||
Python Home Page www.python.org
|
||
|
||
5.2. Appendix - B - Acknowledgments
|
||
|
||
|
||
<20> Special thanks to Tabatha Persad (tabatha AT merlinmonroe DOT com)
|
||
for reviewing and fixing the grammatical, structural, spelling and
|
||
markup mistakes in this document.
|
||
|
||
<20> Thanks to Greg Ferguson (gferg AT sgi DOT com), Joy Goodreau (joyg
|
||
AT us DOT ibm DOT com) for their guidance on submitting this
|
||
document.
|
||
|
||
<20> Thanks to Faisal Khatri (fslkhatri AT hotmail DOT com) for
|
||
verifying the information in this document.
|
||
|
||
|
||
|