This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy works, but doesn't work

Hi there,

After allmost giving up, I tried again to configre the AD-SSO/http-proxy settings in My Astaro. This time by deleting all users in the Astaro Userlist and reconfigure my AD-groups in my windows-server.
I replaced the spaces for _
This way I bypass the known-errors with the UTM 9.*** setup. And Yes when I re-prefetch my users and setup a new group and after a reboot of the Astaro (after 20 minute waiting) the http-proxy works.

But Not for long.
When I startup IE9 the Astaro has to wake up (which takes half a minute) and has to think i it is going to accept the user or not.
This is VERY frustrating. See below for log of a test on my AD-server how it runs with only a Google search page.
In IE9 I directly get a login-popup which hou can cancel and after a few cancelings of the login-popup the pages load in your browser.

The bigger problem is...... FireFoxs has NO problems. I use both browsers on my workstations and when I browse in FireFox I have no problems and or loginboxes, while IE disfunctions completely.
FireFoxs also works perfectly with the FDQN while IE not even functions with the IP address of the Astaro!

When you take a look in the Web Filtering log you see Accept en Blocks (winbindd-errors) running besides eachother.

What can be done to solve this problem?
The only thing I can do is to shutdown the proxy-settings in IE. But why shutdown a firewall to use a firewall???

2012:08:23-15:13:13 FIREWALL httpproxy[32170]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9b55aa0" function="auth_adir_getsid_callback" file="auth_adir.c" line="502" message="winbindd request failed ()" 
2012:08:23-15:13:13 FIREWALL httpproxy[32170]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="Administrator" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="2477" request="0x9b55aa0" url="www.google.nl/" exceptions="" error="" 
2012:08:23-15:13:28 FIREWALL httpproxy[32170]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.87.1" dstip="173.194.67.94" user="Administrator" statuscode="200" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_ZGZNNPYuTA (Proxy Filter Action)" size="102972" request="0x9b55aa0" url="www.google.nl/.../html" application="google" 
2012:08:23-15:13:28 FIREWALL httpproxy[32170]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x114d61b8" function="auth_adir_getsid_callback" file="auth_adir.c" line="502" message="winbindd request failed ()" 
2012:08:23-15:13:28 FIREWALL httpproxy[32170]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="Administrator" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="2477" request="0x114d61b8" url="www.google.nl/.../mgyhp_sm.png" exceptions="" error="" 
2012:08:23-15:13:28 FIREWALL httpproxy[32170]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.87.1" dstip="173.194.67.94" user="Administrator" statuscode="304" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_ZGZNNPYuTA (Proxy Filter Action)" size="0" request="0x9b55aa0" url="www.google.nl/.../chrome-48.png" exceptions="" error="" category="145,164" reputation="trusted" categoryname="Search Engines,Visual Search Engine" 
2012:08:23-15:13:28 FIREWALL httpproxy[32170]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x114d6798" function="auth_adir_getsid_callback" file="auth_adir.c" line="502" message="winbindd request failed ()" 
2012:08:23-15:13:28 FIREWALL httpproxy[32170]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="Administrator" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="2477" request="0x114d6798" url="www.google.nl/.../logo3w.png" exceptions="" error="" 
2012:08:23-15:13:28 FIREWALL httpproxy[32170]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.87.1" dstip="173.194.67.94" user="Administrator" statuscode="304" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_ZGZNNPYuTA (Proxy Filter Action)" size="0" request="0x9b55aa0" url="www.google.nl/.../rs=AItRSTPLUDe8EaGySfSbpQvglPVvyaExJg" exceptions="" error="" category="145" reputation="trusted" categoryname="Search Engines" 
2012:08:23-15:13:32 FIREWALL httpproxy[32170]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.87.1" dstip="173.194.67.94" user="Administrator" statuscode="304" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_ZGZNNPYuTA (Proxy Filter Action)" size="0" request="0x9b55aa0" url="www.google.nl/.../4fe2fdcdb07f6db9.js" exceptions="" error="" category="145" reputation="trusted" categoryname="Search Engines" 
2012:08:23-15:13:32 FIREWALL httpproxy[32170]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.87.1" dstip="173.194.67.94" user="Administrator" statuscode="304" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_ZGZNNPYuTA (Proxy Filter Action)" size="0" request="0x9b55aa0" url="www.google.nl/.../swxa.gif" exceptions="" error="" category="145,164" reputation="trusted" categoryname="Search Engines,Visual Search Engine"

This thread was automatically locked due to age.

0 Longman over 13 years ago

It would be helpful to list the ip address and subnet mask of the astaro internal interface and the ip address, subnet mask default gateway of the astaor external interface. I question having the wan router connected to the same switch. I prefer to have a separate switch for the astaro external interface and the wan router but you could do that thru vlans.
Cancel
Vote Up 0 Vote Down

Cancel
0 HMaster over 13 years ago in reply to Longman

It would be helpful to list the ip address and subnet mask of the astaro internal interface and the ip address, subnet mask default gateway of the astaor external interface. I question having the wan router connected to the same switch. I prefer to have a separate switch for the astaro external interface and the wan router but you could do that thru vlans.

I added the both settings of my astaro.
My Astaro is at the moment a VM setup. If it advisable I could create a Vlan or eventualy a direct CAT connection from one of the server NIC ports to the patch-panel WAN port. In this situation, the external-subnet will be closed for other clients.

I could also take a real server to install Astro on that system to setup a dedicated system to test the setup.
- eth0.png
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

That seems like the best solution at present. There definitely shouldn't be any way for internal traffic to appear on the External interface. It will be instructive to learn whether or not this also solves the authentication problem.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel