How to configure (k/x)ubuntu behind a NTLM proxies (aka ISA MS Server, aka Internet Security and Acceleration Server), using cNTLM
What’s the scenario ?
Imagine you have your very-pretty linux computer inside a network, like your job network, and to connect with internet you have to go through a proxy which asks you the username and password.
This means that the programs that you have in your computer must be capable of “talking NTLM” with the proxy, and in ubuntu there are few of them that can do this without any hack (for example firefox is “NTLM-proxy” capable)
So what is the hack that can solve this?
Well, although a program may not be able to talk “NTLM-proxy” by itself, there are many of them that are capable of talking to a “normal-proxy” (without the NTLM protocol, that is, they can talk to a “normal-proxy” but not to a “NTLM-proxy” because they can’t do the NTLM-part).
So the idea is to install Cntlm – which will create a virtual “normal-proxy” locally in your computer which takes care automatically and adds the NTLM protocol to the normal connections made to the “normal-proxy”.
After you have the Cntlm installed, you configure your program to use the virtual “normal-proxy” created by Cntlm and by doing all this, you will finaly have your program (which is only “normal-proxy” capable) going through the NTLM proxy, via the virtual “normal-proxy” of Cntlm
Confusing? It is not, just harder to explain than to show 🙂
Resumed instructions of how to make it happen
NOTE: I no longer have access to a linux computer behind a NTLM proxy, and so I will only leave the notes I’ve taken in the past to install and configure Cntlm in a debian/ubuntu system. The notes are proven to work although they may look as vague indications and not a step-by-step guide, but I hope that they are enough to give someone an overview of the sequence:
1. Install and configure Cntlm
1.1- download cntlm deb-package
(NOTE: the above link is for all debian and (x/k/l)ubuntus)
1.2 – install deb-package
sudo dpkg -i cntlm_0.35.1-5_i386.deb
1.3- Configure Cntlm to use the “NTLM-proxy”, by creating the file /etc/cntlm.conf
sudo pico /etc/cntlm.conf
…and fill in with your NTLM-proxy information:
(this is the minimum the conf file must contain to work – for much more options and twists see the man page “Configuration” section)
1.4- Restart Cntlm to make configuration changes to take effect
invoke-rc.d cntlm restart
With the above done, we will have the Cntlm virtual proxy installed and running in http://127.0.0.1:3128
2. Configure your programs to use the local “normal-proxy” http://127.0.0.1:3128
2.1- Change .bashrc, to configure the default proxy for: wget curl apt-get and others
echo ” >> $HOME/.bashrc
echo ‘#:) Cntlm local proxy configuration’ >> $HOME/.bashrc
echo ‘export http_proxy=http://127.0.0.1:3128’ >> $HOME/.bashrc
echo ‘export https_proxy=http://127.0.0.1:3128’ >> $HOME/.bashrc
echo ‘export ftp_proxy=http://127.0.0.1:3128’ >> $HOME/.bashrc
echo ” >> $HOME/.bashrc
…and now close and open a new console (so that the changes made to .bashrc take effect)
To test if wget (for example) is working fine through the Cntlm proxy, do:
wget -O- http://www.google.com
…and if is takes too long to “connect” then something is wrong. If it executes fast and shows a text-storm then it’s working ok 🙂
2.2- Configure KDE and Konqueror (doesn’t include Synaptic Manager, it uses it’s own network configuration, not very much configurable in fact…)
HTTP: http://127.0.0.1 PUERTO: 3128
x – User el mismo proxy para todos protocolos
… and now Konqueror should correctly connect to internet
The man page of cntlm is *very* well documented – the guy that made it knew what hw was doing… and he made it in C.
It also supports to behave as a SOCKs proxy and/or establish SSH tunnels – read that man page, it gets very interesting all that can be done with Cntlm behind a proxy:)
It’s the most stable NTLM-wrapper proxy that I’ve found, and the best of all by clear advantage, although it seems one of those lost-perls of open source that doesn’t get the deserved attention.
I am aware that wget has a built-in option to talk to “NTML proxy” which is (–http-user and –http-password) – I’ve used wget here as an example and without taht option so that it uses the Cntlm proxy installed pointed to by the “http_proxy” environment variable
And Cntlm seems to be made by only 1 person without any external libraries… incredible
I know a few more examples and tests would be a great addon to the above instructions, but i have no access to a NTLM proxy now.. so if you have something to add, please post as comment and we shall review/include it 🙂
This is my first post, in my first blog – that might explain some enthusiasm and some unexperience errors 🙂 the best of open source is the sharing – people should apply it in diverse ways within their lifes 🙂