NTLM chaining

The Squid proxy performs local NTLM identification, then forwards the appropriate Proxy-Authorization headers as an NTLM Type 3 message to the cloud proxy for further transparent user authentication. Squid can maintain multiple connections to the cloud proxy, allowing the sharing of connections across users but ensuring that each request is associated with the correct user. When Squid reassigns a connection to another user, only then is a new Proxy-Authorization header sent for that user.

To use this setup, configure Squid to do the following:
  1. Perform NTLM authentication.
  2. Forward requests to the cloud proxy.
  3. Forward user information to the cloud proxy.