Jan 17, 2013
Break free from forefront TMG proxy
I was asked to install and configure a debian server to run a Plone site behind Microsoft Forefront TMG. Mission impossible? No... just a story to tell!
It was a dark and stormy night, me and the server, Loca, left all alone in a chilly room.
To let a linux server connect with Forefront I wanted to set up and run cntlm, which is a local proxy that authenticates to a Forefront gateway to allow internet traffic.
The server was offline, I had to think about an offline method to install cntlm. I downloaded the deb from http://ftp.debian.org/pool/main/c/cntlm/cntlm_0.35.1-5_i386.deb and saved it on a USB pen drive, then installed the deb with dpkg:
dpkg - i cntlm_0.35.1-5_i386.deb
Once I got cntlm installed I tested my Forefront connection parameters using the "magic" -M flag:
cntlm -fv -l $PORT -u $USER@$DOMAIN -p $PASSWORD \ -w $NETBIOS_NAME -M $URL $TGMIP $TGMPORT
This will gave me hints to edit /etc/cntlm.conf file properly in order to run cntlm in daemon mode.
I had just a debian network install cd with me and I asked Loca if she wanted some.
A short explanation of the arguments in the command line follows:
- -fv run cntlm in foreground and verbose mode
- -l $PORT listen to the specified port (default 3128)
- -p $PASSWORD you should know it...
- -u $USER@$DOMAIN the user that authenticates to Forefront (e.g. alert@redturtle)
- -w $NETBIOS_NAME the workstation NetBIOS name (e.g. REDTURTLE)
- -M $URL probe a test url to make "magic detection" (e.g. http://www.example.org)
- $TGMIP the Forefront gateway ip address (e.g. 10.0.0.10)
- $TGMPORT the port Forefront gateway is listening to (e.g. 8080)
More information on the cntlm man page (check out the online version).
With cntlm up and running daemonized by the init scripts, to use the proxy I had to define the proper environment variables:
export http_proxy=http://127.0.0.1:3128 export https_proxy=http://127.0.0.1:3128 export ftp_proxy=http://127.0.0.1:3128
I had also to setup apt, adding a file /etc/apt/apt.conf.d/02proxy containing those lines:
Acquire::http::proxy "http://localhost:3128/"; Acquire::ftp::proxy "ftp://localhost:3128/"; Acquire::https::proxy "https://localhost:3128/";
To use svn for checkouts I had to look in /etc/subversion/servers for the "[Global]" section and added a couple of lines like in this example:
[Global] ... http-proxy-host=localhost http-proxy-port=3128 ...
After a few moments we were friends and decided to join our efforts from freedom.
Once I apt-got all the packages I needed and checked out my Plone buildout I thought everything would be fine.
Of course I was wrong!
There's an issue, apparently with urllib, that makes buildout fail (see https://bugs.launchpad.net/zc.buildout/+bug/484735, https://github.com/buildout/buildout/issues/32).
I forked buildout on github to work around this issue.
You can clone https://github.com/ale-rt/buildout/tree/issue-32 and can get the source tarball from https://github.com/downloads/ale-rt/buildout/zc.buildout-1.6.4-issue-32-1.tar.gz.
To use it I suggest you to create a virtual env in your buildout directory, add in the buildout root a folder (e.g. pypi-local), download to that folder the tarball and "pip install" it, the commands are something like:
./bin/pip install pypi-local/zc.buildout-1.6.4-issue-32-1.tar.gz
To use this folder as a local pypi repository in your buildout, edit your buildout configuration file and add to the find-links this folder. Don't forget to pin the zc.buildout version!
zc.buildout = 1.6.4-issue-32-1
With this setup buildout runs fine :)!