Personal tools
Break free from forefront TMG proxy

Can Loca ride?

Jan 17, 2013

Break free from forefront TMG proxy

I was asked to install and configure a debian server to run a Plone site behind Microsoft Forefront TMG. Mission impossible? No... just a story to tell!

It was a dark and stormy night, me and the server, Loca, left all alone in a chilly room.

To let a linux server connect with Forefront I wanted to set up and run cntlm, which is a local proxy that authenticates to a Forefront gateway to allow internet traffic.

I had to install it manually on a debian server after that a minimal installation with the netinst cd was aborted.

The server was offline, I had to think about an offline method to install cntlm. I downloaded the deb from and saved it on a USB pen drive, then installed the deb with dpkg:

dpkg - i cntlm_0.35.1-5_i386.deb

Once I got cntlm installed I tested my Forefront connection parameters using the "magic" -M flag:

cntlm -fv -l $PORT -u $USER@$DOMAIN -p $PASSWORD \

This will gave me hints to edit /etc/cntlm.conf file properly in order to run cntlm in daemon mode.

I had just a debian network install cd with me and I asked Loca if she wanted some.

A short explanation of the arguments in the command line follows:

  • -fv run cntlm in foreground and verbose mode
  • -l $PORT listen to the specified port (default 3128)
  • -p $PASSWORD you should know it...
  • -u $USER@$DOMAIN the user that authenticates to Forefront (e.g. alert@redturtle)
  • -w $NETBIOS_NAME the workstation NetBIOS name (e.g. REDTURTLE)
  • -M $URL probe a test url to make "magic detection" (e.g.
  • $TGMIP the Forefront gateway ip address (e.g.
  • $TGMPORT the port Forefront gateway is listening to (e.g. 8080)

More information on the cntlm man page (check out the online version).

Environment variables

With cntlm up and running daemonized by the init scripts, to use the proxy I had to define the proper environment variables:

export http_proxy=
export https_proxy=
export ftp_proxy= 


I had also to setup apt, adding a file /etc/apt/apt.conf.d/02proxy containing those lines:

Acquire::http::proxy "http://localhost:3128/";
Acquire::ftp::proxy "ftp://localhost:3128/";
Acquire::https::proxy "https://localhost:3128/";



To use svn for checkouts I had to look in /etc/subversion/servers for the "[Global]" section and added a couple of lines like in this example:




After a few moments we were friends and decided to join our efforts from freedom.

Once I apt-got all the packages I needed and checked out my Plone buildout I thought everything would be fine.

Of course I was wrong!
There's an issue, apparently with urllib, that makes buildout fail (see,

I forked buildout on github to work around this issue.

You can clone and can get the source tarball from

To use it I suggest you to create a virtual env in your buildout directory, add in the buildout root a folder (e.g. pypi-local), download to that folder the tarball and "pip install" it, the commands are something like:

virtualenv cntlm
cd cntlm/
. bin/activate
mkdir pypi-local
cd pypi-local/
cd ..
./bin/pip install pypi-local/zc.buildout-1.6.4-issue-32-1.tar.gz

To use this folder as a local pypi repository in your buildout, edit your buildout configuration file and add to the find-links this folder. Don't forget to pin the zc.buildout version!

find-links =

zc.buildout = 1.6.4-issue-32-1

With this setup buildout runs fine :)!

Filed under: ,
comments powered by Disqus