Use proxytunnel with Microsoft ISA Server

2011-06-27
2013-04-22
  • Snoopy Chen
    Snoopy Chen
    2011-06-27

    I try to use proxytunnel create a tunnel through out MS ISA Server with NTLM authentication.
    The command is as:
    proxytunnel.exe -v -e -p myproxy:8080 -N -P mydomain\userid:mypass -r rtproxy:443 -d desthost:8131 -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\nHost: rtproxy\nContent-Length: 0\nPragma: no-cache"

    But I got the error:

    SSL enabled
    Build Type 1 NTLM Message : TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
    Connected to myproxy:8080 (local proxy)
    Tunneling to rtproxy:443 (remote proxy)
    Communication with local proxy:
     -> CONNECT rtproxy:443 HTTP/1.0
     -> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
     -> Proxy-Connection: Keep-Alive
     -> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\nHost: rtproxy\nContent-Length: 0\nPragma: no-cache
     <- HTTP/1.1 407 Proxy Authentication Required ( Access Deny  )
    HTTP return code: 407 Proxy Authentication Required ( Access Deny  )
     <- Via:1.1 PROXYSVR
     <- Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAGAAYADgAAAAFgomil3mD3InBTAUAAAAAAAAAALgAuABQAAAABQLODgAAAA9TAEEASQBOAFQALQBJAFMATABBAE4ARAACABgAUwBBAEkATgBUAC0ASQBTAEwAQQBOAEQAAQAKAFMASQBOADEAMgAEACYAcwBhAGkAbgB0AC0AaQBzAGwAYQBuAGQALgBjAG8AbQAuAHQAdwADADIAcwBpAG4AMQAyAC4AcwBhAGkAbgB0AC0AaQBzAGwAYQBuAGQALgBjAG8AbQAuAHQAdwAFACYAcwBhAGkAbgB0AC0AaQBzAGwAYQBuAGQALgBjAG8AbQAuAHQAdwAAAAAA
    parse_type2: Signature matched
    NTLM Got Domain: mydomain
    NTLM Domain: mydomain
    NTLM Got Challenge: 977983DC89C14C05
    NTLM: MD4 of password is: 25FB2D4EBA7282E496602E91B95B00B5
    DOMAIN: mydomain
    USER: mydomain\userid
    userdom is: 5300410049004E0054002D00490053004C0041004E0044005C004D0031003200350039005300410049004E0054002D00490053004C0041004E004400
    HMAC_MD5 of userdom keyed with MD4 pass is: 666C6B624FA29F3CD3809DF6E9F1EF1F
    client_challenge is: 00B081978E604135
    HMAC is: 8E13E462BAA9AB2FC3346872ED452BCE
     <- Connection: Keep-Alive
     <- Proxy-Connection: Keep-Alive
     <- Pragma: no-cache
     <- Cache-Control: no-cache
     <- Content-Type: text/html
     <- Content-Length: 0     
    Tunneling to rtproxy:443 (remote proxy)
    Communication with local proxy:
     -> CONNECT rtproxy:443 HTTP/1.0
     -> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEgAAADwAPAAYAAAABgAGABQAQAAJAAkAGgBAAAWABYAjAEAAAAAAAAAAAAABYIIogAAAAAAAAAAhqBa5YrfX/2zk1Lw9G7UrQCwgZeOYEE1jhPkYrqpqy/DNGhy7UUrzpd5g9yJwUwFAQEAAAAAAAByboqWoTTMAQCwgZeOYEE1AAAAAAIAGABTAEEASQBOAFQALQBJAFMATABBAE4ARAABAAoAUwBJAE4AMQAyAAQAJgBzAGEAaQBuAHQALQBpAHMAbABhAG4AZAAuAGMAbwBtAC4AdAB3AAMAMgBzAGkAbgAxADIALgBzAGEAaQBuAHQALQBpAHMAbABhAG4AZAAuAGMAbwBtAC4AdAB3AAUAJgBzAGEAaQBuAHQALQBpAHMAbABhAG4AZAAuAGMAbwBtAC4AdAB3AAAAAAAAAAAAUwBBAEkATgBUAC0ASQBTAEwAQQBOAEQAUwBBAEkATgBUAC0ASQBTAEwAQQBOAEQAXABtADEAMgA1ADkAVwBPAFIASwBTAFQAQQBUAEkATwBOAA==
     -> Proxy-Connection: Keep-Alive
     -> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\nHost: rtproxy\nContent-Length: 0\nPragma: no-cache
     <- HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  )
    HTTP return code: 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  )
    Tunneling to rtproxy:443 (remote proxy)
    Communication with local proxy:
     -> CONNECT rtproxy:443 HTTP/1.0
     -> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEgAAADwAPAAYAAAABgAGABQAQAAJAAkAGgBAAAWABYAjAEAAAAAAAAAAAAABYIIogAAAAAAAAAAhqBa5YrfX/2zk1Lw9G7UrQCwgZeOYEE1jhPkYrqpqy/DNGhy7UUrzpd5g9yJwUwFAQEAAAAAAAByboqWoTTMAQCwgZeOYEE1AAAAAAIAGABTAEEASQBOAFQALQBJAFMATABBAE4ARAABAAoAUwBJAE4AMQAyAAQAJgBzAGEAaQBuAHQALQBpAHMAbABhAG4AZAAuAGMAbwBtAC4AdAB3AAMAMgBzAGkAbgAxADIALgBzAGEAaQBuAHQALQBpAHMAbABhAG4AZAAuAGMAbwBtAC4AdAB3AAUAJgBzAGEAaQBuAHQALQBpAHMAbABhAG4AZAAuAGMAbwBtAC4AdAB3AAAAAAAAAAAAUwBBAEkATgBUAC0ASQBTAEwAQQBOAEQAUwBBAEkATgBUAC0ASQBTAEwAQQBOAEQAXABtADEAMgA1ADkAVwBPAFIASwBTAFQAQQBUAEkATwBOAA==
     -> Proxy-Connection: Keep-Alive
     -> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\nHost: rtproxy\nContent-Length: 0\nPragma: no-cache
     <- Via:1.1 PROXYSVR
     <- Proxy-Authenticate: NTLM
    error: Socket read error: [104] Connection reset by peer
    
     
  • Jon McClelland
    Jon McClelland
    2011-08-21

    I've also hit this issue. Looks like proxytunnel doesn't work via newer ISA servers. i.e. NTLM is probably no longer allowed on newer servers - only Kerberos. So, does proxytunnel need more development to cater for this? Is PT still being maintained?
    Hopefully, this is just a configuration issue, but I've tried various settings with no joy.

     
  • chowjok
    chowjok
    2011-10-01

    I've had the same problem with NTLM on Microsoft ISA Server. I eventually ended up using cntlm + proxytunnel and that works great.

    cntlm handles the NTLM authentication and creates a regular proxy on localhost, and then proxytunnel can use this proxy. Make sure to test the cntlm proxy with wget or something and make sure it's working before playing with proxytunnel.

    See: http://cntlm.sourceforge.net/

     
  • Camus Patrick
    Camus Patrick
    2012-02-06

    Thanks @chowjok, it works very well this way.