Netsweeper - Tearing my hair out

[garethedmondson]

Evening,

Not sure anyone can help but I'll cross my fingers.

Here we go.... for the past two/three years the LEA have been using Netsweeper as their preferred filtering solution. It was put in to replace Websense which wasn't really doing the job. So the LEA and Netsweeper cobbled together something and all was good. From what I gather it was put behind an ISA box and a special plug-in written. This plug-in kept crashing due to memory leaks and the LEA started looking for something else.

They have now moved over to the Squid version of Netsweeper and it isn't working properly. Browsing the web is fine in IE and Firefox but the moment you want to use a plug in such as Java (e.g. to access yousrc.com ) or if you want to use a piece of software such as iTunes or gotomeeting then you are immediately challenged with an authentication box (see picture attached). The LEA are at a loss. Entering credentials are not working.

I've contacted Netsweeper and they have asked for the squid.conf file - which I do not have as I don't have access to the Netsweeper boxes.

Has anyone seen this before? Would anyone have any idea what changes I could ask the LEA to make? It's affecting lessons as we cannot teach our Java lesson (again using yousrc.com). I've asked the LEA for the squid.conf file but I very much doubt they would give it to me. Netsweeper (in their defence) are helping me even though the support contract is with the LEA. I'm bypassing the normal channels because nothing is happening.

If anyone has any ideas I'd love to here them.

Many thanks

Garethtony.jpg

[Jonah]

I've seen things vaguely similar, in particular with iTunes. The addresses/URLs needed adding to the Default Subnet Policy, as well as the Staff/Student policy as it was trying to authenticate to the NetSweeper as the machine rather than the user. It's been a while since I've dealt with it though.

[garethedmondson]

I've seen things vaguely similar, in particular with iTunes. The addresses/URLs needed adding to the Default Subnet Policy, as well as the Staff/Student policy as it was trying to authenticate to the NetSweeper as the machine rather than the user. It's been a while since I've dealt with it though.

Not entirely sure what you mean. I've added some of the urls to the allow policy. *.yousrc.com etc - still isn't working.

Gareth

[tom_newton]

Java doesn't play nice with proxy authentication, in general. Would suggest the LEA need to exclude those domains from being authenticated. It is not a hard thing to do in squid, and if netsweeper can't help them fix it...

[jinnantonnixx]

I'm guessing you're using Kerberos?

OK, unless you get NTLM + basic authentication working (and as it happens I'm working on that problem with Squid), you can allow an exception in your squid.conf for java.
I'll post the exception tomorrow. It works for itunes, too.

Be careful doing this though, I'll explain by PM if you like as there's a massive security hole.

[jamescole1978]

Hi Gareth, can you PM me your details and we will get this resolved? We've been running NTLM and Kerberos authentication in other regions. No doubt we'll have to go back to the LA with it however that's no big issue wf we know what the challenge is.

James

[jinnantonnixx]

You could try this in your squid.conf

acl AgentsNoAuth browser Java/ iTunes NSPlayer/
http_access allow AgentsNoAuth

then further down where you have your re-writes:

url_rewrite_access deny AgentsNoAuth

Edit: I've just re-read your post and you say you don't have access to the squid config. I don't know what to suggest in this case. I don't think there's anything you can do at your end.