We have several layers of Proxies:
User -> Region -> Region -> inner farm -|Firewall|-> DMZ farm -|Firewall|-> Internet User -----------> Region -> User ---------------------> We do all our authentication/authorisation and filtering based on user/group in the inner farm. Currently we mainly do authentication based on the IP adress(-range) (around 95%) and only very few users are authenticated via NTLM. However, we are under orders to change that in the foreseeable future to pure NTLM. So that'll be for Proxy authentication, server NTLM is only done within the intranet itself and that's taken care of in the proxy settings of the clients. BlueCoats for example allow such a scenario with a thing called "NTLM forwarding". As far as I am aware that's not possible with Squid right now. So I wonder if that'll be part of the upcoming Stable 2.6/3 as we've to start planning for the nescessary changes rather soon. -----Original Message----- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. Mai 2006 09:44 To: Baumgaertel, Oliver Cc: [email protected] Subject: Re: NTLM forwarding in 2.6 ? Are you referring to connection pinning so NTLM authentication works through a proxy server? On Tue, May 16, 2006, Baumgaertel, Oliver wrote: > > Hi. > > Are there any plans to add NTLM forwarding to the Stable 2.6 release? > > I ask because we will need that in the coming months and I'd like to > safe the 30 or so squid boxes currently running in the third layer. Else > they'd surely follow the other 20 already replaced by BlueCoats. > > regards, > Oliver Baumgaertel
