This site is now 100% read-only, and retired.

Breaking through the ISA Barrier

Posted by pedxing on Fri 17 Feb 2006 at 10:41

Microsoft ISA Server is a common proxy server within Windows-based networks. It is not very Linux friendly. NTLM Authorization Proxy Server helps us out with this.

My office is nearly exclusively MS, the ISA server is the only gateway to the internet from the LAN. I installed Debian on one machine from the netinst CD on an external network, then hooked it up to the LAN.

`apt-setup` will let you set your proxy server, but no amount of coaxing, cursing, or brute force would make ISA accept a connection from the Debian box. After a quick search, I found NTLMaps. It is a python-based proxy which runs on localhost, and redirects to the ISA server, providing the required interfaces on both ends.

`apt-get install ntlmaps` will grab it, and step you through a few basic questions... Local Port, ISA Server, ISA Port, Domain, Username, Password.

Once it's running, simply run apt-setup and tell it to use localhost:5865 as the proxy, and you're apt-getting before you know it. This will also work with web browsers, elinks can be configured by editing /etc/elinks/elinks.conf and editing the proxy line to read: 'set protocol.http.proxy.host = "localhost:5865"'.

If you need to change the proxy settings, you can `dpkg-reconfigure ntlmaps`, to change apt's proxy settings, you can edit /etc/apt/apt.conf.

 

 


Re: Breaking through the ISA Barrier
Posted by Anonymous (62.255.xx.xx) on Fri 17 Feb 2006 at 11:49
You can configure it to not need the proxy client therefore working with anything but it's up to the individual administrators to do it. Personally I bin it and use a Cisco PIX!

[ Parent ]

Re: Breaking through the ISA Barrier
Posted by Anonymous (193.195.xx.xx) on Fri 17 Feb 2006 at 15:34
A PIX won't do content filtering.

Alternatively IIRC you can specify static IPs that are just allowed through the ISA server without having to auth.

[ Parent ]

Re: Breaking through the ISA Barrier
Posted by Anonymous (62.255.xx.xx) on Sun 19 Feb 2006 at 17:18
Yeah and you need a cray T3E running ISA to make it do that, and it only does half a job and you have to spend a lot of cash on 3rd party addons to make up for that.

[ Parent ]

Re: Breaking through the ISA Barrier
Posted by simonw (84.45.xx.xx) on Fri 17 Feb 2006 at 20:01
[ View Weblogs ]
Sorry PIX sucks, just look at the abuse it has done over the years to perfectly reasonable SMTP sessions.

There are plenty of good firewalls, some of them even use Linux, but unless PIX has made huge strides recently, it isn't one of them.

[ Parent ]

Re: Breaking through the ISA Barrier
Posted by Anonymous (62.255.xx.xx) on Sun 19 Feb 2006 at 17:20
Mine works fine (515E) and cost �35 and about 10 minutes of time (that's about �500 worth of your life if you think about how much time you wasted pissing around configuring something on your death-bed).

[ Parent ]

Re: Breaking through the ISA Barrier
Posted by pedxing (64.231.xx.xx) on Sat 18 Feb 2006 at 16:21
[ View Weblogs ]
I could also do that. This way I can use it with liveCD's, dynamic IP, or whatever other form I choose.

I am not a fan of ISA, I've used squid in the past, but it's not my place to run the proxies.

[ Parent ]

Re: Breaking through the ISA Barrier
Posted by Anonymous (195.72.xx.xx) on Sun 19 Feb 2006 at 15:10
ISA sucks!

[ Parent ]

Re: Breaking through the ISA Barrier
Posted by mrtom (83.104.xx.xx) on Mon 20 Feb 2006 at 09:25
We have problems with ntlmaps consuming large amounts of cpu when downloading - not really too much of an inconvenience but worth knowing.

I also had to edit the Debian supplied configuration as it rewrites the http headers in order to pretend the browser is some version of IE. This prevents some sites like Google maps from working with all features as it thinks that your browser is not good enough.

[ Parent ]