I''ve been working on an issue with Squid/Dansguardian/Shorewall connecting to an OWA site outside of the network. I was originally thinking it was squid that was causing the issue now I''m leaning towards something towards the iptables/shorewall configuration. Squid is in transparent mode. (This also applies to the sharepoint server which uses the same auth as OWA) On two different networks that has a shorewall firewall I cannot connect to the OWA. I get the login prompt to appear and in the case of IE, after entering in my login ID/password the screen immediately goes to a "Internet explorer cannot display the webpage". In Chrome, the popup auth window just keeps appearing and asks for the username/password over and over. So my assumption is that I''m getting to the site but not allowing the auth. I was originally thinking it was packet mangling but I don''t have that configured in my shorewall.conf on the 2nd shorewall device. Keep in mind, from this same network I can access other OWA sites just fine that do not use shorewall. So that''s why I''m thinking it''s a shorewall/iptables configuration issue. I can access the OWA that was having issues just fine without the proxy though which makes this hard to decipher where the issue is coming from. My rule is simple: Rules: ACCEPT net loc:10.1.1.3 tcp http # webmail2 Nat: # EMail server 999.999.999.999 eth2 10.1.1.3 yes yes Does anyone have an idea on what is going on? Thanks! ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/10/10 7:51 AM, Johnson, S wrote:> Does anyone have an idea on what is going on?None. My Macbook Pro uses OWA to access my email and address book at HP and I have no issues (Squid transparent Proxy and SNAT). As always with connection issues, we can''t help you unless you give us the information detailed at http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/10/10 7:51 AM, Johnson, S wrote:> I’ve been working on an issue with Squid/Dansguardian/Shorewall > connecting to an OWA site outside of the network. I was originally > thinking it was squid that was causing the issue now I’m leaning towards > something towards the iptables/shorewall configuration. > > Squid is in transparent mode. > > (This also applies to the sharepoint server which uses the same auth as OWA) > > On two different networks that has a shorewall firewall I cannot connect > to the OWA. I get the login prompt to appear and in the case of IE, > after entering in my login ID/password the screen immediately goes to a > “Internet explorer cannot display the webpage”. In Chrome, the popup > auth window just keeps appearing and asks for the username/password over > and over. So my assumption is that I’m getting to the site but not > allowing the auth. I was originally thinking it was packet mangling but > I don’t have that configured in my shorewall.conf on the 2^nd shorewall > device. > > Keep in mind, from this same network I can access other OWA sites just > fine that do not use shorewall. So that’s why I’m thinking it’s a > shorewall/iptables configuration issue. > > I can access the OWA that was having issues just fine without the proxy > though which makes this hard to decipher where the issue is coming from. > > My rule is simple: > > Rules: > > ACCEPT net loc:10.1.1.3 tcp http # webmail > > Nat: > > # EMail server > > 999.999.999.999 eth2 10.1.1.3 > yes yes > > Does anyone have an idea on what is going on?I re-read your report this morning and I realized that I mis-understood your configuration when I replied yesterday. I''m still not at all clear about it so let me see if I have it correct: a) The client is behind a Shorewall firewall that uses Squid for transparent proxy. b) The OWA server is behind a Shorewall firewall that uses 1:1 NAT for address translation. The only incoming rule for OWA is for port 80. If that is correct, then I''m fairly certain that you will need to also add https (port 443) on the server side; have you looked at the Shorewall log there do see if anything is logged when you try to access OWA or the Sharepoint? -TOM -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
A) Yes B) Yes I think you''ve got my setup pretty well down. Actually this server does not use https...YET. I don''t see anything out of the ordinary in the logs. This just doesn''t make sense. sj -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, June 11, 2010 8:52 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Weird proxy/OWA connection issue throughShorewall On 6/10/10 7:51 AM, Johnson, S wrote:> I''ve been working on an issue with Squid/Dansguardian/Shorewall > connecting to an OWA site outside of the network. I was originally > thinking it was squid that was causing the issue now I''m leaningtowards> something towards the iptables/shorewall configuration. > > Squid is in transparent mode. > > (This also applies to the sharepoint server which uses the same authas OWA)> > On two different networks that has a shorewall firewall I cannotconnect> to the OWA. I get the login prompt to appear and in the case of IE, > after entering in my login ID/password the screen immediately goes toa> "Internet explorer cannot display the webpage". In Chrome, the popup > auth window just keeps appearing and asks for the username/passwordover> and over. So my assumption is that I''m getting to the site but not > allowing the auth. I was originally thinking it was packet manglingbut> I don''t have that configured in my shorewall.conf on the 2^ndshorewall> device. > > Keep in mind, from this same network I can access other OWA sites just > fine that do not use shorewall. So that''s why I''m thinking it''s a > shorewall/iptables configuration issue. > > I can access the OWA that was having issues just fine without theproxy> though which makes this hard to decipher where the issue is comingfrom.> > My rule is simple: > > Rules: > > ACCEPT net loc:10.1.1.3 tcp http # webmail > > Nat: > > # EMail server > > 999.999.999.999 eth2 10.1.1.3 > yes yes > > Does anyone have an idea on what is going on?I re-read your report this morning and I realized that I mis-understood your configuration when I replied yesterday. I''m still not at all clear about it so let me see if I have it correct: a) The client is behind a Shorewall firewall that uses Squid for transparent proxy. b) The OWA server is behind a Shorewall firewall that uses 1:1 NAT for address translation. The only incoming rule for OWA is for port 80. If that is correct, then I''m fairly certain that you will need to also add https (port 443) on the server side; have you looked at the Shorewall log there do see if anything is logged when you try to access OWA or the Sharepoint? -TOM -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo