Slashdot Mirror
Solutions for Linux Desktops using NT Proxy?
prac_regex asks: "I'm both lucky and unlucky. Unlucky that im in an NT proxy environment, but lucky that I am able to use Linux at work for all of my work requirements. I can talk to the file servers via Samba and get email from our exchange server via kmail, but for things that require talking to servers outside the proxy, I fail for nearly everything but web-browsers. My question is what solutions exist to communicate to the NT servers for applications that may or may not have proxy settings? Even things like xchat --with-socks I cant get to work. the NT server simply seems to ignore me. I know microsoft does make things difficult for everyone that doesnt use windows, but Im sure people have solved this. My goal in the longrun is to get the proxy off NT but in the meantime..."
My solution was to set up a UNIX proxy server using squid, but that really didn't solve everything. Eventually, I got a job at an Internet company where I could make the rules. Much better that way!
Brad Johnson
--We are the Music Makers, and we
are the Dreamers of Dreams
Brad Johnson
I used to admin an MS Proxy. MSP provide standard proxying of HTTP, SSL, FTP and Gopher (anybody still using that ???). These service should work fine from any browser, on any platform (not quite sure about stand-alone FTP client). For all the rest, you need to install a "client", wich is really only a modified winsock.dll. Winsock.dll is a shared library that TCP/IP client (IRC, mail, etc.) on Windows use. This modified winsock.dll communicate with MSP somehow to proxy almost every application under the sun.
Since this client is obviously not released for any other platform than Windows, you're out of luck. It's a shame since, beside being locked to Windows, MSP is great. That's the only proxy that I know of that can transparently forward ANY application, log connection and is able to tunnel TCP/IP application connection through IPX (yes! TCP/IP over IPX !!!).
One way around it might be to install some kind of NAT software on a Windows box that has the proxy client installed, then route through it. May require some voodoo to work.
You should also investigate SOCKS support of MSP. I am pretty darn sure they add it to 2.0 (I admined 1.0).
:wq
MS Proxy Server 2 has pretty much been engineered to block anything but Windows-based clients. Windows users get an 'MS Proxy Client' that lets most software, including telnet etc. function fine if you're on windows.
Makes you kind of sick and just cements the notion in my head that MS software needs to be banished from my computers like the cancerous disease it is.
I used to admin a network of macs. When i arrived, they were behind a MS Proxy Server firewall. so no FTP access etc.
I replaced it with a 486-based Linux router that ran off a single floppy. Never skipped a beat, supported all proxy services the MS Proxy did and let the Macs use ftp etc. I use my linux box at home to do the same thing, although there is only one machine behind it.
In my current job, i am also behind an MS Proxy firewall, so when i try and run the BeOS to test it, i can't surf the web or anything. I have a linux box on my desk too, which is also cut off from the outside world.
Unfortunately everyone else in the office uses Windoze, so theyre not too happy with the idea of me replacing the Proxy Server, and our sys admin refuses to contemplate the idea of actually becoming competent with TCP/IP networking or any of the other technologies he works with every day, instead relying on the Microsoft 'Tools' to muddle through.
The only thing Proxy Server does that an ipchains-based setup won't is to forward HTTP packets based on the URL in them - i.e. you can have all requests for 'http://myorganisation.com/images/' sent to one server, and all requests from 'http://myorganisation.com/html/' sent to another server.
Quite nifty, but i'm sure there are free alternatives for this type of thing. I know there are commerical BSD-based firewalls that do this very well.
I gots ta ding a ding dang my dang a long ling long
It's been a while, but here's what I remember...
MS Poxy supports the usual CERN http/ftp proxy stuff.
MS Poxy also has a proprietary proxy protocol that only works with their (vile) Windows client.
MS Poxy also supports Socks 4, but not Socks 5. Ask your admin guys about the settings, and try and find a Socks 4 client for whatever you're doing. I've gotten Mirc to work over Socks 4, so it can be done...
The proxy documentation is probably hidden somewhere on the MS web site, or if your admin guys are co-operative it's also on the CD.
Use a tunnel. THere are some pretty ingenious packages out there. Tunneling over http headers, icmp requests, or email messages.
A wealthy eccentric who marches to the beat of a different drum. But you may call me "Noodle Noggin."
Quando Omni Flunkus Moritati
First of all, I'd like to say that proxies are a poor excuse for any sort of network security. I assume that's what your company uses it for. A much better solution would be a simple Linux Masquerading box, or if they're afraid of Linux, a Cisco PIX firewall and a PAT address for everyone on the inside of it. You can also do PAT on a Cisco router, using ACL's on a large scale for network security is also bad practice. I really suggest either a real firewall solution, or just a simple linux box with ip masquerading. Read the IP-masq howto.
MS Proxy is pure crap. One of the companies we work fairly closely with has one set up. FTP never worked properly and we would constantly get calls from people complaining to us to fix it, when we didn't even have any control over it. I finally got sick of getting called at 4AM for something I couldn't do anything about and set up a Linux box with Dante and Squid on it, and had someone out there who works for us put it in. It's been up for 223 days so far and I haven't had a single phone call since. Plus, most of the other companies users have switched over to it as well. Last week around noon, there were around 173 simultaneous users using it.
Need Free Juniper/NetScreen Support? JuniperForum
he only thing Proxy Server does that an ipchains-based setup won't is to forward HTTP packets based on the URL in them - i.e. you can have all requests for 'http://myorganisation.com/images/' sent to one server, and all requests from 'http://myorganisation.com/html/' sent to another server.
Squid will do this, and does it rather well if I recall. Should take about five minutes to configure the first time. Squid and ipchains server two very different purposes and can be used together without a hitch.
I do agree that msproxy is (ahem) a non-optimal solution. I've run across MS Proxy twice in customer environments due to reported problems. In both cases, the MS proxy was the problem.
In the first case, the box was going catatonic requiring a reboot almost daily. No amount of MCSE's or service packs could fix it. We eventually rebuilt it with Linux and Squid. It's given one problem in the six months since installation when the cache disk ran out of inodes.....
In the second case, it was due to the proxy not handling HTTP/1.1 requests correctly for virtually-hosted sites. We chained the msproxy to an upstream netscape proxy which did.
For the problem at hand, check out Dante. It's a socks package that has beta support for acting as a msproxy client. From the README:
They also warn you that it may crash your msproxy, but that was just a matter of time anyway, right$ find