HTTP/HTTPS proxy

[kitkit80]

My organization wishes to control access to the Internet for staff. Staff will only be allowed to access web content on any server outside the organisation, on ports HTTP (80) and SSL (443). Access to all web servers on any port is fine internally. All transactions must be logged on the proxy and associated with a user. I will need to commission a HTTP/HTTPS proxy. Active Directory is used here for authentication purposes.

I'd like to get some advice on the software solutions available to satisfy this requirement and what other technical changes are necessary to make client systems, servers and the network enforce this.

Thank you all so much for reading this post! Help please...

[k_amisi]

Squid does the job perfectly....that is if you knkow how to use it.
--- Squid has an NTLM module these days.
--- It also utilizes the connect method so https traffic will pass.
---You can implement a transparent proxy, port forwading of TCP ports 80 and 443on the internet router/firewall/gateway to the Squid server.
---The clients need not to be configured.
---The internal traffic won't be affected only, the internet traffic will be proxied.

You can use webalizer to track internet usage and squid also has an access log file. Remember it will also cache internet content making the browsing experience much faster.

Regards.

[dancudds]

You can't use the NTLM modules when transparently proxying. The client machine just won't be expecting a 407 from the gateway.
Still get the internal ip though.

Squid does the job perfectly....that is if you knkow how to use it.
--- Squid has an NTLM module these days.
--- It also utilizes the connect method so https traffic will pass.
---You can implement a transparent proxy, port forwading of TCP ports 80 and 443on the internet router/firewall/gateway to the Squid server.
---The clients need not to be configured.
---The internal traffic won't be affected only, the internet traffic will be proxied.

You can use webalizer to track internet usage and squid also has an access log file. Remember it will also cache internet content making the browsing experience much faster.

Regards.

[kitkit80]

Squid does the job perfectly....that is if you knkow how to use it.
--- Squid has an NTLM module these days.
--- It also utilizes the connect method so https traffic will pass.
---You can implement a transparent proxy, port forwading of TCP ports 80 and 443on the internet router/firewall/gateway to the Squid server.
---The clients need not to be configured.
---The internal traffic won't be affected only, the internet traffic will be proxied.

You can use webalizer to track internet usage and squid also has an access log file. Remember it will also cache internet content making the browsing experience much faster.

Regards.

thanks!

[kitkit80]

You can't use the NTLM modules when transparently proxying. The client machine just won't be expecting a 407 from the gateway.
Still get the internal ip though.

Hmm... in your opinion, is there a better alternative?

[kitkit80]

Is there a need for policy here?

[dancudds]

Hmm... in your opinion, is there a better alternative?

A bluecoat box is able to pick up the ad name transparently. Must use the ip address or something fancy.

Another thing to note is that transparent proxying doesn't work with https traffic. Reason is there's nothing different from a proxy in the middle to a man in the middle attack!

Now, from what I've been told Bluecoat boxes can also transparent proxy https traffic, and get this - it can scan the traffic.
I don't know for sure but I've been told that Bluecoat got into bed with verisign and it spoofs the server and client certificates!

P.s. I don't work for, nor support Bluecoats!

[dancudds]

Is there a need for policy here?

Here's what I would do.
Have a GPO or something to get the user's browsers to go to your internal proxy. Transparent is messy and this way you can exception local addresses from using the proxy. A PAC file is best.

Next configure you squid to auth with an NTLM challenge and only allow the SAFEPORTS of 80/443.