Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Linux Software

Solutions for Linux Desktops using NT Proxy? 18

Posted by Cliff from the getting-NT-to-play-nice-on-its-own-network dept.
prac_regex asks: "I'm both lucky and unlucky. Unlucky that im in an NT proxy environment, but lucky that I am able to use Linux at work for all of my work requirements. I can talk to the file servers via Samba and get email from our exchange server via kmail, but for things that require talking to servers outside the proxy, I fail for nearly everything but web-browsers. My question is what solutions exist to communicate to the NT servers for applications that may or may not have proxy settings? Even things like xchat --with-socks I cant get to work. the NT server simply seems to ignore me. I know microsoft does make things difficult for everyone that doesnt use windows, but Im sure people have solved this. My goal in the longrun is to get the proxy off NT but in the meantime..."
This discussion has been archived. No new comments can be posted.

Solutions for Linux Desktops using NT Proxy? More

Solutions for Linux Desktops using NT Proxy?

Comments Filter:
  • See, the thing is, Microsoft Proxy Server only supports HTTP. It won't support FTP, Telnet, or anything else. I ran into this problem at a place that I used to work, and many of the other workers had a hard time ftping and such.

    My solution was to set up a UNIX proxy server using squid, but that really didn't solve everything. Eventually, I got a job at an Internet company where I could make the rules. Much better that way!

    Brad Johnson
    --We are the Music Makers, and we
    are the Dreamers of Dreams

  • I used to admin an MS Proxy. MSP provide standard proxying of HTTP, SSL, FTP and Gopher (anybody still using that ???). These service should work fine from any browser, on any platform (not quite sure about stand-alone FTP client). For all the rest, you need to install a "client", wich is really only a modified winsock.dll. Winsock.dll is a shared library that TCP/IP client (IRC, mail, etc.) on Windows use. This modified winsock.dll communicate with MSP somehow to proxy almost every application under the sun.

    Since this client is obviously not released for any other platform than Windows, you're out of luck. It's a shame since, beside being locked to Windows, MSP is great. That's the only proxy that I know of that can transparently forward ANY application, log connection and is able to tunnel TCP/IP application connection through IPX (yes! TCP/IP over IPX !!!).

    One way around it might be to install some kind of NAT software on a Windows box that has the proxy client installed, then route through it. May require some voodoo to work.

    You should also investigate SOCKS support of MSP. I am pretty darn sure they add it to 2.0 (I admined 1.0).

    • Get a floppy Linux distro (there are lots of those these days).
    • Edit the firewall config on the floppy as needed.
    • Go to the NT proxy box.
    • Insert the floppy into the NT machine's floppy drive.
    • Push the reset button on the NT box.
    • Go to your computer, and enjoy.
  • MS Proxy Server 2 has pretty much been engineered to block anything but Windows-based clients. Windows users get an 'MS Proxy Client' that lets most software, including telnet etc. function fine if you're on windows.

    Makes you kind of sick and just cements the notion in my head that MS software needs to be banished from my computers like the cancerous disease it is.

    I used to admin a network of macs. When i arrived, they were behind a MS Proxy Server firewall. so no FTP access etc.

    I replaced it with a 486-based Linux router that ran off a single floppy. Never skipped a beat, supported all proxy services the MS Proxy did and let the Macs use ftp etc. I use my linux box at home to do the same thing, although there is only one machine behind it.

    In my current job, i am also behind an MS Proxy firewall, so when i try and run the BeOS to test it, i can't surf the web or anything. I have a linux box on my desk too, which is also cut off from the outside world.

    Unfortunately everyone else in the office uses Windoze, so theyre not too happy with the idea of me replacing the Proxy Server, and our sys admin refuses to contemplate the idea of actually becoming competent with TCP/IP networking or any of the other technologies he works with every day, instead relying on the Microsoft 'Tools' to muddle through.

    The only thing Proxy Server does that an ipchains-based setup won't is to forward HTTP packets based on the URL in them - i.e. you can have all requests for 'http://myorganisation.com/images/' sent to one server, and all requests from 'http://myorganisation.com/html/' sent to another server.

    Quite nifty, but i'm sure there are free alternatives for this type of thing. I know there are commerical BSD-based firewalls that do this very well.

  • It's been a while, but here's what I remember...

    MS Poxy supports the usual CERN http/ftp proxy stuff.

    MS Poxy also has a proprietary proxy protocol that only works with their (vile) Windows client.

    MS Poxy also supports Socks 4, but not Socks 5. Ask your admin guys about the settings, and try and find a Socks 4 client for whatever you're doing. I've gotten Mirc to work over Socks 4, so it can be done...

    The proxy documentation is probably hidden somewhere on the MS web site, or if your admin guys are co-operative it's also on the CD.

  • Or, if the admin is too lazy to remove the docs from a production system.... http://proxyserver/prxdocs/htm/default.htm
  • I ran a NetManage Gopher client a couple weeks ago just to see whazup.

    Most gopher sites say something like "See our web page at HTTP://..."

    But some of the die-hards are still there! Smithsonian, MIT etc!

  • Use a tunnel. THere are some pretty ingenious packages out there. Tunneling over http headers, icmp requests, or email messages.

    A wealthy eccentric who marches to the beat of a different drum. But you may call me "Noodle Noggin."
  • The MS Proxy Server is possibly also using authentication that only MS products "speak". I can't even use Netscape or Mozilla -- Internet Explorer only !!
  • (Gee, if you click on Support [microsoft.com] on the MS home page [microsoft.com] you get a warning that the content has moved. I guess they need more Web developers...)

    It sounds as if you're referring to "NT Challenge/Response authentication", which is the default. Apparently there's some proprietary messaging with IE. There are MS KB articles about it: Q245237 [microsoft.com] - "Configuration to Enable the Netscape Browser to Function Properly in a Proxy 2.0-Based Environment", although the proper choices in the IIS configuration menus is not obvious. There are other KB articles, but this seems the most helpful.

  • I tested MS Proxy 1.something a long time ago and it had a client install for the workstations. My ideas are not the ideal solution I'm sure, but it's a thought :P

    Take an NT workstation with the MS Proxy client installed and then install a socks proxy on the same machine. Then bounce your connections through it.

    Second idea: Take an NT workstation and install NAT32 or another NAT program and set your workstation's default gateway to that workstation. If it works, all applications should work without changes.
  • Comment removed based on user account deletion
  • Configure your workstation's kernel to support transparent proxy, then configure squid to do the same. There is a howto in the LDP that should show you this. Set up squid to use the MS proxy server as its outbound connection Then redirect all outbound packets for port 80 to your squid proxy. This should make it transparent, and work as well as it can. Some things may break, but it's probably the best you can do.
  • Wrong. Microsoft Proxy Server also provides SOCKS.
  • he only thing Proxy Server does that an ipchains-based setup won't is to forward HTTP packets based on the URL in them - i.e. you can have all requests for 'http://myorganisation.com/images/' sent to one server, and all requests from 'http://myorganisation.com/html/' sent to another server.

    Squid will do this, and does it rather well if I recall. Should take about five minutes to configure the first time. Squid and ipchains server two very different purposes and can be used together without a hitch.
  • I disagree that proxies are a poor security solution (they can be very effective if set up correctly).

    I do agree that msproxy is (ahem) a non-optimal solution. I've run across MS Proxy twice in customer environments due to reported problems. In both cases, the MS proxy was the problem.

    In the first case, the box was going catatonic requiring a reboot almost daily. No amount of MCSE's or service packs could fix it. We eventually rebuilt it with Linux and Squid. It's given one problem in the six months since installation when the cache disk ran out of inodes.....

    In the second case, it was due to the proxy not handling HTTP/1.1 requests correctly for virtually-hosted sites. We chained the msproxy to an upstream netscape proxy which did.

    For the problem at hand, check out Dante [www.inet.no]. It's a socks package that has beta support for acting as a msproxy client. From the README:

    This is the first version of Dante that attempts to support the msproxy protocol. This is a protocol not described in any publicly known document and it was implemented based on watching networkpackets crossing the wire and guessing their meaning.

    This prerelease is made public in order to get feedback on the msproxy stuff. Current status:

    TCP connect(2) is expected to work.
    TCP bind(2) is expected to work.
    hostnames are resolved (via the proxy).
    sometimes the server returns a unexpected response to our connect request. MS clients understand when the response means "wait a little, then continue or retry", we currently don't.

    We appreciate any feedback at all, does it work, does it not. That will determine whether Inferno Nettverk will continue to support work on this.

    Code for UDP support will probably be added later if there is demand for it.

    If you're a UNIX user trapped behind a msproxy server, here's to you.

    They also warn you that it may crash your msproxy, but that was just a matter of time anyway, right :-?
  • I'm behind a IIS4.0 Proxy. Problem is that it wants NTLM (NT Lan Manager) authentication. Only the basics of this are documented. This royally sucks for me because I write socket apps, and can't get though unless I use Visual Studio and MFC's http classes. I've tried http tunnel and a bunch of other things to no avail.

    If you figure something out, I'd appreciate hearing it too.

  • Hello,

    If the MS Proxy Server is Ver.2, then you can use SOCKS-enabled clients.

    Check out
    http://www.socks.nec.com/socksfaq.html

    Then search on the MS site & elsewhere for info on the "Socks Proxy Service", which is the component that supports SOCKS 4.3a.

    Here is how the Macintosh-heads deal with it:
    http://www.macwindows.com/MSProxy.html

    Good luck!

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close