Working through a Microsoft Proxy Server

A recent company merger meant I had to move to a new office where the network infrastructure was a lot more, er, managed. In particular, the use of a Microsoft proxy server stopped me ssh'ing to my home machine, and also prevented apt-get working on our Debian-based Samba server.

apt-get via a proxy

Knowing that apt-get uses wget under the hood, I first got it working with the http proxy. This can be achieved with a command line URL of the form (note the %5C represents a backslash):

  wget -c -b --no-check-certificate https://DOMAIN%5CNAME:PASSWD@site.com/target

Alternatively, it is possible to set the proxy address and connect authorisation into the http_proxy environment variable. Viz:

  export http_proxy="http://DOMAIN%5CNAME:PASSWD@PROXY:PORT"

Having tested both these methods with wget, I tried apt-get, but got the following error message.

  Err http://security.debian.org sarge/updates/main Packages
  407 Proxy Authentication Required ( The ISA Server requires authorization 
      to fulfill the request. Access to the Web Proxy service is denied.  )

After much browsing, it appears that apt-get does not like the http_proxy environment variable being set. The proxy information must be provided via the /etc/apt/apt.conf file, using a line of the form:

  Acquire::http::Proxy "http://DOMAIN%5CNAME:PASSWD@PROXY:PORT";

and the http_proxy environment variable must not be set.

Using ssh through a proxy

My solution to this involves a little program called corkscrew. In order to use corkscrew you must add lines similar to the ones below to your ~/.ssh/config file:

  Host hydrus.org.uk
    ProxyCommand /usr/bin/corkscrew PROXY PORT  %h %p ~/.ssh/auth-file

The username and password must be placed in the a separate file (called auth-file in the example above), using the format DOMAIN\NAME:PASSWD.

My first attempt to ssh to my site resulted in the following error:

  Proxy could not open connnection to hydrus.org.uk: Proxy Error ( The
  specified Secure Sockets Layer (SSL) port is not allowed. ISA Server
  is not configured to allow SSL requests from this port. Most Web
  browsers use port 443 for SSL requests.  )

Hmm, the proxy didn't allow the use of the default ssh port, 22, so I figured I would have to NAT port 443 on my firewall to allow a connection on port 443 via the proxy.

Next day, with port 443 opened and pointed at port 22 in my firewall, I tried again from the work machine, using the command line:

  ssh -p 443 hydrus.org.uk

Now it worked. To ensure I didn't need to remember the -p argument, I added a Port 443 line to ~/.ssh/config, so the whole entry now looks like:

  Host hydrus.org.uk
    Port 443
    ProxyCommand /usr/bin/corkscrew PROXY PORT  %h %p ~/.ssh/auth-file