Hi Yutaka, I already tested using http in stead of https. In a setup when proxying for IIS without Integrated Windows Authentication, all works fine with the certificates. I now used the following config: -Plisten_ip:80 -fv -Enh ADMIN=admin@test..nl DGROOT="/DeleGate/" DELAY=reject:0,unknown:0 SERVER=http AUTHORIZER=-ntht HTTPCONF=methods:* MOUNT="/* http://destination_ip/* via=server_ip" REACHABLE=destination_ip:80 RELIABLE="*" Still no traffic goes to the destination server. But it seems that running the server in foreground changed to credentials used from 'NT_AUTHORITY\SYSTEM' to 'SERVERNAME\Administrator'. 09/05 10:06:24.34 [1880] 1+1: REQUEST - GET / HTTP/1.1^M 09/05 10:06:24.34 [1880] 1+1: *** / => http://192.168.4.24/ *** 09/05 10:06:24.34 [1880] 1+1: REQUEST +M http://192.168.4.24/ HTTP/1.1^M 09/05 10:06:24.34 [1880] 1+1: ----NTHT accept 0 MO=1 UT=0 09/05 10:06:24.34 [1880] 1+1: ----NTHT_accept(0,38,38) ss=0 09/05 10:06:24.34 [1880] 1+1: ####cred name=servername\administrator 09/05 10:06:24.34 [1880] 1+1: ====NTLM Start (WIN) 09:06:24.357 [1880] send(356) = -1+0 errno=10058 [1864] 09/05 10:06:24.36 [1880] 1+1: ## got SIGPIPE [1] in HTTP: (WIN) 09:06:24.357 [1880] +++EPIPE[38] fflushTIMEOUT() for EOF 09/05 10:06:24.36 [1880] 1+1: ClientEOF: request-EOF-7 [38 38] 0 8000 0 09/05 10:06:24.36 [1880] 1+1: HCKA:[0] closed -- d:by client(request EOF-7) 09/05 10:06:24.36 [1880] 1+1: disconnected [38] -@[56.34.217.136]ip765ced988.spe ed.planet.com:35035 (0.078s)(0) ip765ced988.speed.planet.com - - [05/Sep/2008:10:06:24 +0100] "GET http://192.168. 4.24/ HTTP/1.1" 401 577 0*0.000+0.000:A:0d Now I removed the AUTHORIZER=-ntht option and it looks more like it: -Plisten_ip:80 -Enh -fv ADMIN=admin@test..nl DGROOT="/DeleGate/" DELAY=reject:0,unknown:0 SERVER=http HTTPCONF=methods:* MOUNT="/* http://destination_ip/* via=server_ip" REACHABLE=destination_ip:80 RELIABLE="*" Traffic now goes to the destination server and the logfile shows: 09/05 11:18:09.59 [852] 1+1: (0) accepted [54] -@[54.56.217.136]ip768ced988.spee d.planet.com:35466 (0.031s)(1) 09/05 11:18:09.61 [852] 1+1: Proxy: host=ip768ced988.speed.planet.com; User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSI E 6.0; Windows NT 5.1; SV1) ; InfoPath.1; .NET CLR 2.0.50727); DIRECT 09/05 11:18:09.61 [852] 1+1: HCKA:[0] Keep-Alive; host=ip768ced988.speed.planet.n l; (User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 ( compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.1; .NET CLR 2.0.50727)) 09/05 11:18:09.62 [852] 1+1: REQUEST - GET / HTTP/1.1^M 09/05 11:18:09.62 [852] 1+1: *** / => http://192.168.4.24/ *** 09/05 11:18:09.62 [852] 1+1: REQUEST +M http://192.168.4.24/ HTTP/1.1^M 09/05 11:18:09.64 [852] 1+1: *** / => http://192.168.4.24/ *** 09/05 11:18:09.64 [852] 1+1: PATH> http://192.168.4.24:80!servername:80!ip768ced9 88.speed.planet.com:35466!anonymous@ip768ced988.speed.planet.com;1220606 289 09/05 11:18:09.64 [852] 1+1: REQUEST = [http://192.168.4.24:80/] GET / HTTP/1.1^ M 09/05 11:18:09.64 [852] 1+1: XHost: (0,0,1) 192.168.4.24 <= sft.test.nl 09/05 11:18:09.64 [852] 1+1: connectTO: assume in non-blocking mode 09/05 11:18:09.65 [852] 1+1: ConnectToServer connected [34] {192.168.4.24:80 <- 192.168.1.60:1612} [0.016s] 09/05 11:18:09.65 [852] 1+1: willSTLS_SV: ServerFlags=8000 09/05 11:18:09.65 [852] 1+1: HTTP => (192.168.4.24:80) GET / HTTP/1.1^M 09/05 11:18:09.65 [852] 1+1: default netmask 54.56.217.136/. = FFFFFF00 09/05 11:18:09.65 [852] 1+1: ## hostIFto 54.56.217.136 < 192.168.1.60 (ffffff00 ) 09/05 11:18:09.67 [852] 1+1: default netmask 54.56.217.136/. = FFFFFF00 09/05 11:18:09.67 [852] 1+1: HTTP error request: GET / HTTP/1.1^M 09/05 11:18:09.67 [852] 1+1: HTTP error status: 401 Unauthorized 09/05 11:18:09.67 [852] 1+1: ----NTHT buffResp 20 RX_code=401 09/05 11:18:09.67 [852] 1+1: ----NTHT KeepAlive for 401 (-401) 09/05 11:18:09.67 [852] 1+1: #HT11 DO-response-buffering for NTHT 09/05 11:18:09.69 [852] 1+1: HTTP error header: Content-Length: 1656^M 09/05 11:18:09.69 [852] 1+1: HTTP error header: Content-Type: text/html^M 09/05 11:18:09.69 [852] 1+1: HTTP error header: Server: Microsoft-IIS/6.0^M 09/05 11:18:09.69 [852] 1+1: ----NTHT R Negotiate 20 09/05 11:18:09.69 [852] 1+1: HTTP error header: WWW-Authenticate: Negotiate^M 09/05 11:18:09.69 [852] 1+1: HTTP error header: WWW-Authenticate: NTLM^M 09/05 11:18:09.69 [852] 1+1: HTTP error header: X-Powered-By: ASP.NET^M 09/05 11:18:09.69 [852] 1+1: HTTP error header: Date: Fri, 05 Sep 2008 09:21:57 GMT^M 09/05 11:18:09.69 [852] 1+1: ----NTHT 20 added Proxy-Support header 09/05 11:18:09.69 [852] 1+1: #HT11 SERVER ver[HTTP/1.1] conn[] 09/05 11:18:09.69 [852] 1+1: ----NTHT Keep-Alive on err. (-401) 20 09/05 11:18:09.69 [852] 1+1: HTTP error header: ^M 09/05 11:18:09.69 [852] 1+1: HTTP/1.1 401 Content-{Type:text/html Encoding:[/] L eng:1656} KA:1/1 Server:Microsoft-IIS/6.0 09/05 11:18:09.69 [852] 1+1: ----NTHT start session E0 09/05 11:18:09.69 [852] 1+1: ----NTHT E0 putMIMEmsg (401) 09/05 11:18:09.69 [852] 1+1: ----NTHT E0 NO putMIMEmsg 09/05 11:18:09.69 [852] 1+1: ####Gzip [0.000000] - 1656 => 930 [38=>42] 09/05 11:18:09.69 [852] 1+1: putMIMEmsg: Content-Length: 1656 -> 930 (1281 - 351 ) [gzip] 09/05 11:18:09.69 [852] 1+1: #CEcl put Content-Encoding:gzip 09/05 11:18:09.70 [852] 1+1: ----NTHT keep-alive 401 -401 09/05 11:18:09.70 [852] 1+1: DON'T CLOSE RESPONSE:(0) / 09/05 11:18:09.70 [852] 1+1: HTTP transmitted: 216head+1656/1656body=>0txt+0bin- >930/930, 10i/1o/0f/0.0 ---z- 09/05 11:18:09.70 [852] 1+1: #HT11 putServ(35/36/34) 192.168.4.24:80 09/05 11:18:09.70 [852] 1+1: ----NTHT retryAuth: 1 NTHT=E0 09/05 11:18:09.70 [852] 1+1: ----NTHT without auth. conv. 09/05 11:18:09.70 [852] 1+1/1: ----NTHT E0 KA=1 09/05 11:18:09.76 [852] 1+1/1: ClientEOF: request-EOF-6 [54 54] 0 0 0 09/05 11:18:09.76 [852] 1+1/1: HCKA:[1] closed -- d:by client(request EOF-6) 09/05 11:18:09.78 [852] 1+1/1: disconnected [54] -@[54.56.217.136]ip768ced988.sp eed.planet.com:35466 (0.219s)(0) ip768ced988.speed.planet.com - - [05/Sep/2008:11:18:09 +0100] "GET http://192.168. 4.24/ HTTP/1.1" 401 1656 0*0.016+0.047:RW:0d Maybe I got it wrong, but I expect to receive a popup on the client computer and those credentials need to be used on the destination server to authenticate. Thanks. Kind regards, Willy Nagel -----Original Message----- From: Yutaka Sato [mailto:feedback@delegate.org] Sent: Friday, September 05, 2008 9:58 AM To: feedback@delegate.org Cc: Nagel, Willy Subject: Re: [DeleGate-En] FW: [DeleGate-En] Windows Integrated Authentication Hi Willy, In message <_A4106@delegate-en.ML_> on 09/05/08(16:06:53) you "Nagel, Willy" <ptihqbdyi-aipiirhggulr.ml@ml.delegate.org> wrote: |I've been testing using the same config file, with 9.8.5-pre1, but I'm |still unsuccessfull. | |No traffic appears to be going to the destination server (when looking |in our firewall logging). | |Here's the logfile: Something seem bad with SSL, and/or with running as a background service. I'll test it by myself but you are recommended to test it without SSL and/or running your DeleGate in foregroud (with -fv option). Cheers, Yutaka -- 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/ ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller This message and attachment(s) are intended solely for use by the addressee and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient or agent thereof responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone and with a 'reply' message. Thank you for your co-operation.