GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

 


  Web Browsing Behind ISA Server HOWTO
  by Raheel Abdul Hameed (raheel at raheelhameed dot com)
  v1.0, April 2003

  If you are using a Linux box connected to a Windows-based ISA server,
  this article will help you set things up so you can browse the web
  from your Linux machine. I decided to write this article because I
  experienced similar issues, and after some digging found some ways to
  web-enable my cute Linux machine. So here is this article with the
  hope that you'll like it and find it useful. Any feedback will be
  appreciated, especially in the patch form :)
  ______________________________________________________________________

  Table of Contents


  1. Introduction

     1.1 Copyright
     1.2 Disclaimer
     1.3 Getting the latest version
     1.4 Requisites
     1.5 Uses of this document
     1.6 Translations

  2. ISA Server

     2.1 A few words on ISA Server
     2.2 Why doesn't it work?

  3. Method #1 - Enable Basic Authentication

     3.1 Server Side Configuration
     3.2 Client Side Configuration

  4. Method #2 - NTLM Authorization Proxy Server

     4.1 Getting NTLMAPS
     4.2 Installing NTLMAPS
     4.3 Quick Configuration
     4.4 Running NTLMAPS
     4.5 Client Side Configuration

  5. Appendix

     5.1 Appendix - A - Resources
     5.2 Appendix - B - Acknowledgments


  ______________________________________________________________________

  1.  Introduction

  This section first discusses some legal matters, requisites, uses of
  this document and links where its latest version can be found.


  1.1.  Copyright

  This document is Copyright (c) 2003 by Raheel Abdul Hameed

  Permission is granted to copy, distribute and/or modify this document
  under the terms of the GNU Free Documentation License, Version 1.2 or
  any later version published by the Free Software Foundation; with no
  Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

  For the full text of the license, please visit GNU Free Documentation
  License <http://www.gnu.org/copyleft/fdl.html>.


  1.2.  Disclaimer

  Use the information in this document at your own risk. I disavow any
  potential liability for the contents of this document. Use of the
  concepts, examples, and/or other content of this document is entirely
  at your own risk.

  All copyrights are owned by their owners, unless specifically noted
  otherwise.  Use of a term in this document should not be regarded as
  affecting the validity of any trademark or service mark.

  Naming of particular products or brands should not be seen as
  endorsements.

  You are strongly recommended to take a backup of your system before
  major installation and backups at regular intervals.


  1.3.  Getting the latest version

  The latest version of this document is available at
  http://www.tldp.org/HOWTO/Web-Browsing-Behind-ISA-Server.html

  1.4.  Requisites


  This document assumes that you are familiar with editing files using
  any of your favorite text editors, as it talks about editing a
  configuration file.  Some familiarity with ISA server configuration is
  also favorable, but not necessary.

  1.5.  Uses of this document

  This document tries to be useful in the following situations:

  �  You have a Windows machine running ISA Server as a proxy that
     connects to internet.

  �  You have a Linux machine where you want to run your browser to
     browse the web behind ISA Server proxy.

  �  You are sick of using Windows to browse the net.

  �  You are a complete nerd and read every HOWTO available.

  1.6.  Translations

  No translations done yet.

  If you made or have any information about any translation of this
  document, please, email it to me so I update this section.

  2.  ISA Server



  2.1.  A few words on ISA Server

  ISA Server provides many important networking functions that include
  Firewalling, Web-cache, Policy-based Administration, Dynamic IP
  Filtering, VPN Support, Intrusion Detection, NAT and reporting. While
  being a robust solution for Windows-based clients, its a pain for
  Linux users because most of the Linux-based browsers do not appear to
  be working behind it. The term 'appear to be' is used because there
  are some known workouts for this.

  2.2.  Why doesn't it work?

  While running Windows-based clients behind ISA Server, have you
  noticed that normally you could browse using only Internet Explorer,
  and not using other browsers like Netscape? This is because ISA server
  uses an authentication mechanism it calls 'Integrated Authentication.'
  When Internet Explorer contacts ISA server to request a page, along
  with every request it sends a hash that the server uses to
  authenticate you as a legitimate domain user [You can verify this fact
  by sniffing some packets while you  browse, just check the request
  header that your browser sends to the ISA server]. This authentication
  method is not supported by other browsers, which is why it renders
  most of the browsers useless.

  The following sections will tell you about two methods to enable your
  Linux-based browser to browse the net.

  3.  Method #1 - Enable Basic Authentication

  As mentioned above, due to Integrated Authentication support
  configured on ISA server, third party browsers do not work behind it.
  In this situation you can make use of another authentication scheme
  called 'Basic Authentication', commonly supported by most browsers and
  most importantly by ISA Server too. If you work in a security
  conscious environment this method is not recommended since during
  basic authentication, the username and password sent are loosely
  encrypted.

  The point here is that to proceed with this method you will have to
  make sure that you have legitimate access over configuring the ISA
  Server. If you cannot access the server configuration console, then
  move on to the second method in the following section.


  3.1.  Server Side Configuration

  All you need to do is fire up 'ISA Management' and follow these steps:

  1. Right-click your server and click on Properties.

  2. Go to the Outgoing Web Requests tab, click the configured listener
     that you want to change, and then click Edit.

  3. Click Basic authentication, and then select the domain in which the
     accounts exist that you want to authenticate.

  4. Now it's time to move on to your Linux-based browser.

  3.2.  Client Side Configuration

  In particular, we will take Netscape as an example here.


  1. Start Netscape Communicator.

  2. Click on the Edit menu and click Preferences.

  3. Expand 'Advanced' node and click on 'Proxies'; you will see some
     options on the left.


  4. Click on Manual proxy configuration, then click on the View button.

  5. Put your ISA Server's IP address in the HTTP: box and the port
     where web cache is listening (usually 8080, depends what you set).

  6. Click on OK to confirm your changes.

  7. You will return back to the Preferences dialog.

  8. Click on OK to apply your changes.

  Load up a test url in your browser, it will ask you for authentication
  information, In place of user, type DOMAIN\USER, where your DOMAIN
  being the Windows domain, and USER being a legitimate domain user. In
  place of password, type the user's password. Click on OK to continue.
  For example:


  ______________________________________________________________________
  User: CABLENET\Raheel
  Password: Mypassword

  Where CABLENET is my domain, Raheel is the user id
  and Mypassword is my password.
  ______________________________________________________________________



  You should now see the page loading successfully. If you use a
  different browser you will need to explore and see if it supports
  Basic Authentication.


  4.  Method #2 - NTLM Authorization Proxy Server

  NTLM Authorization Proxy Server is proxy server-like software that
  just provides NTLM authentication in between your browser and ISA
  Server, and makes the server believe it's talking to Internet
  Explorer. It does this by adding NTLM authorization strings to the
  request headers. It is written in the Python language by Dmitry
  Rozmanov [nice work dude!]. See www.python.org.  Most linux
  distributions come bundled with a Python interpreter.


  4.1.  Getting NTLMAPS

  The NTLMAPS project home page is located at
  http://ntlmaps.sourceforge.net/.  You can directly go to the download
  page at http://sourceforge.net/project/showfiles.php?group_id=69259.
  The recent version at the time of writing this document is 0.9.8.

  4.2.  Installing NTLMAPS

  Once you have downloaded NTLMAPS, you can extract it into the
  directory of your choice:


  ______________________________________________________________________

  tar xzvf apsxxx.tar.gz
  cd apsxxx

  where 'xxx' is the version number.
  ______________________________________________________________________


  4.3.  Quick Configuration

  Load up server.cfg in your favorite editor. Locate the lines:


  ______________________________________________________________________

  LISTEN_PORT:5865

  # If you want APS to authenticate you at WWW servers using NTLM then just leave this
  # value blank like PARENT_PROXY: and APS will connect to web servers directly.
  # And NOTE that NTLM cannot pass through another proxy server.
  PARENT_PROXY:your_parentproxy

  PARENT_PROXY_PORT:8080
  ______________________________________________________________________



  By default, NTLMAPS listens on port 5865.  You can change it to any
  port number of your choice. You need to replace 'your_parentproxy'
  with the IP address of your ISA Server. Put ISA Server's web cache
  port in PARENT_PROXY_PORT.


  Now, locate the lines:


  ______________________________________________________________________

  # Windows Domain.
  # NOTE: it is not full qualified internet domain, but windows network domain.
  NT_DOMAIN:your_domain

  # What user's name to use during authorization. It may differ form real current username.
  USER:username_to_use

  # Password. Just leave it blank here and server will request it at the start time.
  PASSWORD:your_nt_password
  ______________________________________________________________________



  You will need to put in your domain name in place of your_domain, user
  name in place of 'username_to_use' and password in place of
  'your_nt_password'. Save the file after editing.


  4.4.  Running NTLMAPS

  Now simply run the file main.py, for example:


  ______________________________________________________________________

  ./main.py
  ______________________________________________________________________



  Now the NTLMAPS server is listening.

  4.5.  Client Side Configuration

  In particular, we will use Netscape as an example here.

  �  Start Netscape Communicator.

  �  Click on Edit menu and click Preferences.

  �  Expand 'Advanced' node and click on 'Proxies'; you will see some
     options on the left.

  �  Click on Manual proxy configuration, then click on the View button.

  �  Put your local host's IP address (127.0.0.1) in the HTTP: box and
     port where NTLMAPS is listening (5865).

  �  Click on OK to confirm your changes.

  �  You will return back to Preferences dialog.

  �  Click on OK to apply your changes.

  Load up a test url in your browser and you will see the web page loads
  successfully. If you use a different browser then you will need to
  explore and see how you set it up to work with proxy.

  5.  Appendix

  5.1.  Appendix - A - Resources

  Microsoft Knowledge Base Article - 295667

  http://support.microsoft.com/?kbid=295667


  NTLM Authorization Proxy Server home page
  http://ntlmaps.sourceforge.net/


  Python Home Page www.python.org

  5.2.  Appendix - B - Acknowledgments


  �  Special thanks to Tabatha Persad (tabatha AT merlinmonroe DOT com)
     for reviewing and fixing the grammatical, structural, spelling and
     markup mistakes in this document.

  �  Thanks to Greg Ferguson (gferg AT sgi DOT com), Joy Goodreau (joyg
     AT us DOT ibm DOT com) for their guidance on submitting this
     document.

  �  Thanks to Faisal Khatri (fslkhatri AT hotmail DOT com) for
     verifying the information in this document.







  All copyrights belong to their respective owners. Other site content (c) 2014, GNU.WIKI. Please report any site errors to webmaster@gnu.wiki.