#1 improvements for Java NTLM Proxy

open
nobody
None
5
2007-02-02
2007-02-02
Andrew
No

First of all let me thank you for this great piece of software.

it provides several improvments one of which is `proxy.forward` option.

The only issue so far is that software allows to forward only to one host, i.e. if two proxy.forward strings are specified, the program will forward only to the last of them.

Adding support for multiple proxy.forward would be great.

Apart from that, the ntlm-proxy.log file is created every time, disregarding the option proxy.log.wire option. Adding an option to completely disable logging would be just great!

Third (and last request) - create an alternative way of inputting password, i.e. if the password option is not in the properties file, the use would be prompted for a password. (to improve security).

So far the program has been functioning great!
Many thanks for it!

Discussion

  • Porcine
    Porcine
    2007-02-07

    Logged In: YES
    user_id=1485667
    Originator: NO

    Thanks for the feedbak.

    Try 0.2.RC3. It has some of the features you have mentioned (you'll need JDK 6 for console password support). It also has proxy bypassing based on a regular expression (good for local servers).

    I think proxy.forward is working okay. Rather than having multiple 'proxy.forward' lines, try putting all the port descriptions on one line separated by commas.

     
  • Andrew
    Andrew
    2007-02-08

    Logged In: YES
    user_id=1708605
    Originator: YES

    Hello,

    So far looks good, will test more tomorrow @ work :):) Is it a necessity to use JDK6? The download is 60 megs big and it is beta & unstable. If this ntlmproxy is designed to be used in companies where proxies drain the life out of employees, then JDK6 is a tough thing to get installed on PC. Java 1.5 is usually there preinstalled by IT, but JDK6 installation might be a problem to get. Is it a big pain to make the password entry in the console compatible with java 1.5?

    Thanks

     
  • Logged In: NO

    I menat JRE 6. Only 12MB! bargain.

     
  • Andrew
    Andrew
    2007-02-08

    Logged In: YES
    user_id=1708605
    Originator: YES

    Yeah, but can't install it without adm rights :S

     
  • Porcine
    Porcine
    2007-02-08

    Logged In: YES
    user_id=1485667
    Originator: NO

    Yeah, but JRE 1.6 is great. Less bugs. better performance. Accelerated 2d drawing using DirectX. I'm surprised your sys admins haven't rolled it out weeks ago.

     
  • Andrew
    Andrew
    2007-02-08

    Logged In: YES
    user_id=1708605
    Originator: YES

    Our sysadmins still server Java 1.4.2 :)

    Java 5 for some reasons installed without adm rights and i was able to say bye-bye completely to our ISA server with a combination of ntlmproxy and gtOrenoPC :)

    JRE 1.6 won't be rolled out publically for long time :( DirectX drawing is not a requirement in this application, i guess :) and for one only thing - entry of the password at application start...*cough* :)

     
  • Porcine
    Porcine
    2007-02-08

    Logged In: YES
    user_id=1485667
    Originator: NO

    OK. I'll put it in. If you've got 1.6 it will ask you on the console, if you're <1.6 it will popup a window...

     
  • Andrew
    Andrew
    2007-02-09

    Logged In: YES
    user_id=1708605
    Originator: YES

    Great stuff!
    Thanks!

    Now...logging bug?

    Do you have any todo list for this project? Would be fascinating to see what the future can offer :)

     
  • Porcine
    Porcine
    2007-02-09

    Logged In: YES
    user_id=1485667
    Originator: NO

    i fear this software has a limited life. sysadmins are likely to
    a) move to kerberos IAS authentication (which will break the httpclient library from apache that does all the heavy lifting)..
    b) restrict access to HTTP tunneling.
    so enjoy while you can...

     
  • Andrew
    Andrew
    2007-02-09

    Logged In: YES
    user_id=1708605
    Originator: YES

    Hello,

    Strongly doubting both points

    Moving to Kerberos will break support for many existing products, so they're unlikely to do that (even if they do, is that a big problem to implement kerberos authentication?)

    Restricting access to HTTP only sounds totally unreal, because there are dozens of sites that require HTTPS access and nothing can be done about it.
    So `CONNECT` verb will still be available, meaning HTTPS session will be established, and once you have https tunnel, you have everything in your hands - you can tunnel almost anything, if you have the right tools.

    What i would suggest as a road map (if you're interested)- design a server-side program (something like gtorenoPC) that will work together with Java NTLM proxy and will allow to perform sort of VPN over HTTPS.

     
  • Porcine
    Porcine
    2007-02-09

    Logged In: YES
    user_id=1485667
    Originator: NO

    i guess i could add socksv5 to both sides (jsocks.sf.net) of the tunnel. you'd get UDP forwarding. maybe also add an option to reinitiate the tunnel if it goes down.if you installed a SOCKS winsock wrapper on your PC this would sort of be a VPN.

     
  • Logged In: NO

    it might be better to hack in NTLM HTTP tunnel support to http://openvpn.net/.

     
  • Logged In: NO

    Are you still using this sotware?

    I haven't checked back here for a while. Seems like a few people have downloaded it.

    i don't use windows so being able to serve tsweb is not a high priority for me. However your enthusiasm is noted. :)

    If I added the SOCKS proxy stuff it would allow arbitrary port forwarding over the tunnel which is probably a good thing.

    I also thought up this other idea. Implement a WebDAV server on either end of the tunnel. This would allow windows clients to connect to remote shares using web folders (although I think RDP clients can move shares between machines anyway -- is this true?). It would also make cross platform folder sharing possible without SAMBA (I think linux supports WebDAV through FUSE).

     
  • Andrew
    Andrew
    2007-03-09

    Logged In: YES
    user_id=1708605
    Originator: YES

    Hello,

    Yeah, i use the software all the time, it's just great!
    Particularily, i don't use the ntlm authorization proxy port, but i use it mostly for forwarding.

    It solves several problems that i had, when i was using ntlmaps.

    Basically this thing allows to own an ISA server completely, and with gtOrenoPC installed on the other side (at my home PC), i can access everything there.

    What i wanted else in the app - some sort of gtOrenoPC functionality, that would allow to create a full SSL tunneling...
    say if i connect to 127.0.0.1:88, the software would
    1) contact the tunnel destination (home puter) and request a port forward
    2) home puter would then connect the pre-configured ip at a pre-configured port
    3) home puter proxies response through SSL to originator.

    I am not sure if i'm making myself clear, lemme know if that makes sense.

    The bottom line idea is for me to get radio to work at home.

    I would setup player to http://127.0.0.1:88, then NTLM Proxy would contact my home puter and request a port forward, home puter would go to inet radio server (by using a pre-configured ip) and would stream me the output through SSL tunnel.

    Lemme know what you think.

    p.S. regarding your question - yes, once TS session is active, it supports file transfer.

    But the problem to establish TS session, there has to be a rule like this:

    ListenOnPort8888-ThenConnectIPx.x.x.xPort443AndEstablishSSLTunnel--RequestTunnelEndpointForPortForwardOfLocalPort8888ToIP127.0.0.1Port3389

    :) I'm crazy :)