On 29/08/2012 9:53 p.m., FILHOL Laurent wrote:
Hello all,
Is there someone here who succeed in setting up squid as reverse proxy for MS
lync?
I'm trying but I'm locked on an issue:
Squid seems to block the personnal digital cert the lync server is sending to
the remote Client.
I mean, when the Client have got this personnal cert ( because, the client was
already connecting on our internal network and retrieved the digital cert) urls
are accessed , all was fine. But when the client haven't the digital cert It
can't get it and failed to access the URLs :
I' haven't errors on logs only these 401 return from lync server:
-----------------------------------------------------------
125 90.80.x.x TCP_MISS/200 32633 POST
https://lync.toto.com/CertProv/CertProvisioningService.svc/mex -
FIRST_UP_PARENT/LyncServer application/soap+xml
3 90.80.x.x TCP_MISS/401 7607 POST
https://lync.toto.com/WebTicket/WebTicketService.svc/mex -
FIRST_UP_PARENT/LyncServer text/html
3 90.80.x.x TCP_MISS/401 5809 POST
https://lync.toto.com/CertProv/CertProvisioningService.svc -
FIRST_UP_PARENT/LyncServer text/html
3 90.80.x.x TCP_MISS/401 7607 POST
https://lync.toto.com/WebTicket/WebTicketService.svc/mex -
FIRST_UP_PARENT/LyncServer text/html
3 90.80.x.x TCP_MISS/401 5809 POST
https://lync.toto.com/CertProv/CertProvisioningService.svc -
FIRST_UP_PARENT/LyncServer text/html
7 90.80.x.x TCP_MISS/401 7604 POST
https://lync.toto.com/groupexpansion/service.svc/mex -
FIRST_UP_PARENT/LyncServer text/html
3 90.80.x.x TCP_MISS/401 7604 POST
https://lync.toto.com/groupexpansion/service.svc/mex -
FIRST_UP_PARENT/LyncServer text/html
3 90.80.x.x TCP_MISS/401 7604 POST
https://lync.toto.com/groupexpansion/service.svc/mex -
FIRST_UP_PARENT/LyncServer text/html
2040 90.80.x.x TCP_MISS/200 21261 POST
https://lync.toto.com/RgsClients/AgentService.svc/mex -
FIRST_UP_PARENT/LyncServer application/soap+xml
-------------------------------------------------------------
Shows Squid apparently relaying requests and responses okay. But the
Lync server repeatedly requesting authentication.
What type of "digital cert" are you talking about and where is it being
transmitted? ... TLS client cert from client? TLS client cert from
Squid? SOAP+XML POST body object? custom header object? or
authentication header credentials?
Here is pair of my squid.conf
----------------------------------------------------------
debug_options ALL,1
https_port 10.X.X.X:443 cert=/home/rproxy/certs/certlync.pem
key=/home/rproxy/certs/lync.key cafile=/home/rproxy/certs/thawteca.pem vhost
ignore_expect_100 on
cache_peer lync parent 4443 0 no-query originserver login=PASS
connection-auth=off ssl sslflags=DONT_VERIFY_PEER front-end-https=auto
name=LyncServer
acl LyncAcl dstdomain lync xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cache_peer_access LyncServer allow LyncAcl
----------------------------------------------------------
I'm suspecting a issue on authentication, but again I'have no proof , no error
in logs.
If you have an idea on which direction to look , to get more vervbose logs, or
better :), the solution with the right squid.conf..
Thanks,
Laurent
Which verison of Squid?
Which authentication type is the Lync server requesting?
Is the client presenting any credentials?
Amos
