[OT] Linux clientes and NTLM authentication

Szombathelyi György gyurco at freemail.hu
Fri Sep 29 12:53:59 BST 2006

Actually ISA is a 3 in 1 solution. Every of its aspects have free 
alternatives implemented with open standards:

- HTTP proxy - I don't need to describe this, I think
- SOCKS5 like proxy - this can route all traffic from clients with 
possible authentication. Since it's not a SOCKS5 implementation, you 
need to find a client which can communicate with the ISA proprietary 
protocol. The ISA client on windows is doing this.
- Ordinary IP based NAT solution - that cannot support authentication, 
since the Internet Protocol not designed for this.

So to authenticate all traffic, you need to find an ISA client for 
Linux, or change ISA server to an open-standards based SOCKS5 proxy 
server, which has free clients for both Windows and Linux. Maybe ISA can 
act as a SOCKS5 server, I don't know.


Marcelo Magno T. Sales írta:
> People,
> Taking a ride on this subject, I would like to ask if you, who have good 
> knowledge of NTLM authentication, if you know anything that would help me to 
> have applications other than browsers to authenticate against an MS ISA 
> Server. Preferable, in a transparent way, much like ISA Server's firewall 
> client for Windows. I would also be glad to hear of a 100% unix/linux 
> solution that allow me to restrict Internet access by user AND by application 
> (not only for http). Is there something?
> I've tried the following so far:
> 1. Configure applications to use ISA Server as the proxy server.
>    . Positive point: Firefox can do NTLM authentication and interoperates well
>      with ISA Server.
>    . Negative points: Many applications can't be configured to use proxies.
>      Those which can are not able to authenticate against ISA Server.
>      Even if they were, it would be necessary to configure each application
>      for each user.
>      In Firefox, the user have to retype his credentials every time he
>      opens the browser and java applets do not
>      work (JVM can't authenticate against ISA Server)
> 2. Use NTLMAPS / APServer on the client side
>     . Positive point: Firefox can access Internet using APServer without
>       requesting user credentials and java applets work fine. APServer can
>       do NTLM authentication and interoperates well with ISA Server.
>     . Negative points: It's usefull for HTTP access only. Other applications
>       suffer from the same problems described in the previous solution.
>       APServer is not user-friendly enough to be used by normal users
>       and I can't configure it to start automatically (for that, I would have
>       to set it up with a user account that would not match the current logged
>       user).
> 3. Use squid on the server side
>     . Positive point: HTTP access can be restricted by AD user accounts.
>       squid is able to authenticate users against AD.
>     . It's another HTTP-only solution. squid capabilities of restricting
>       access by group are limited. Browser special configuration is
>       required.
> 4. On the client side, use a script that creates iptables rules dinamically
>     when a user logs on, according to his credentials.
>     . Positive point: work for all applications. Works with ISA Server in
>       NAT mode as well as with a Linux based NAT solution.
>     . Negative points: administration is a nightmare. It's difficult to work
>       with groups. The restrictions are enforced on the client side and
>       not on the server side, what lowers down security. My network
>       spans over a 800 km area, with many buildings. Each building
>       has support personnel who must have local root access to the
>       workstations in the building, but should not be able to set up
>       their own restrictions for Internet access. It's not possible to
>       prevent them from editing the local iptables rules, once they
>       have root privileges at the workstations.
> Is there a way to get the results I need using Linux clients?
> Thanks,
> Marcelo

More information about the kde-core-devel mailing list