We are trying to find ways to configure the Juniper DX3280 to encrypt the forward proxy authentication or the client-proxy traffic. Please find below the details of what we are trying to do:
1. Current AUB setup: a. Forward Proxy servers: SQUID (http://www.squid-cache.org/) b. 3 Servers are used each controlling an Internet link. Each Internet link is provided by a separate ISP. c. Currently load balancing is performed using an automatic configuration script downloaded at the launch of the browser client (linked from "use automatic configuration script" at IE for example).
d. The forward proxy authentication is currently done in clear text , since: i. We do not want to keep md5 hashed passwords on the proxy servers. ii. We do not want to use NTLM authentication due to the complexity of the setup and some security holes found when using kiosk-type machines on campus.
2. What we are trying to do to benefit from the DX3280: a. Create a cluster for the 3 proxy servers. b. Point the user browser proxy configuration to the VIP instead of getting a script. c. Make that cluster authentication the users instead. We used RADIUS authentication. d. Configure the proxy servers not to authenticate the users (leave this task to the DX3280)
3. Problems faced so far when we created the cluster (in a pilot test environment): a. Since the DX3280 will not be using standard proxy authentication but HTTP authentication, we could not use SSL as the client was not expecting it (Proxy Authentication Description: Browsers send the user's authentication credentials in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password. If the header is missing, Squid returns an HTTP reply with status 407 (Proxy Authentication Required). The user agent (browser) receives the 407 reply and then prompts the user to enter a name and password. The name and password are encoded, and sent in the Authorization header for subsequent requests to the proxy). b. Since we are using HTTP authentication the user has to authenticate for each new URL or worse new domain (some web pages are designed with content from multiple domain). c. We could not use except PAP to authenticate the user, hence we were back to square one (clear text passwords).
Is there is a solution to use the DX3280 to securely authenticate proxy users? Are what we are trying to achieve doable using the DX or we need to use SSL VPN?
The DX product, typically used in reverse proxy environments, does not support forward proxy authentication at this time. You will not be able to achieve your current requirements with a DX alone. I would suggest you contact your SE contact at Juniper and discuss the project with him or her. If you are not sure of who your SE contact is then please let me know and I will pass your details on.
Message Edited by ChristopherHowarth on 07-02-2008 05:01 AM
Christopher Howarth CISSP RHCE JNCIS-FWV JNCIA-WX/SSL