Find the answer to your Linux question:
Results 1 to 8 of 8
My organization wishes to control access to the Internet for staff. Staff will only be allowed to access web content on any server outside the organisation, on ports HTTP (80) ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6

    HTTP/HTTPS proxy


    My organization wishes to control access to the Internet for staff. Staff will only be allowed to access web content on any server outside the organisation, on ports HTTP (80) and SSL (443). Access to all web servers on any port is fine internally. All transactions must be logged on the proxy and associated with a user. I will need to commission a HTTP/HTTPS proxy. Active Directory is used here for authentication purposes.

    I'd like to get some advice on the software solutions available to satisfy this requirement and what other technical changes are necessary to make client systems, servers and the network enforce this.

    Thank you all so much for reading this post! Help please...

  2. #2
    Just Joined!
    Join Date
    Jan 2007
    Posts
    44
    Squid does the job perfectly....that is if you knkow how to use it.
    --- Squid has an NTLM module these days.
    --- It also utilizes the connect method so https traffic will pass.
    ---You can implement a transparent proxy, port forwading of TCP ports 80 and 443on the internet router/firewall/gateway to the Squid server.
    ---The clients need not to be configured.
    ---The internal traffic won't be affected only, the internet traffic will be proxied.

    You can use webalizer to track internet usage and squid also has an access log file. Remember it will also cache internet content making the browsing experience much faster.

    Regards.

  3. #3
    Just Joined!
    Join Date
    Mar 2007
    Posts
    17
    You can't use the NTLM modules when transparently proxying. The client machine just won't be expecting a 407 from the gateway.
    Still get the internal ip though.

    Quote Originally Posted by k_amisi
    Squid does the job perfectly....that is if you knkow how to use it.
    --- Squid has an NTLM module these days.
    --- It also utilizes the connect method so https traffic will pass.
    ---You can implement a transparent proxy, port forwading of TCP ports 80 and 443on the internet router/firewall/gateway to the Squid server.
    ---The clients need not to be configured.
    ---The internal traffic won't be affected only, the internet traffic will be proxied.

    You can use webalizer to track internet usage and squid also has an access log file. Remember it will also cache internet content making the browsing experience much faster.

    Regards.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6
    Quote Originally Posted by k_amisi
    Squid does the job perfectly....that is if you knkow how to use it.
    --- Squid has an NTLM module these days.
    --- It also utilizes the connect method so https traffic will pass.
    ---You can implement a transparent proxy, port forwading of TCP ports 80 and 443on the internet router/firewall/gateway to the Squid server.
    ---The clients need not to be configured.
    ---The internal traffic won't be affected only, the internet traffic will be proxied.

    You can use webalizer to track internet usage and squid also has an access log file. Remember it will also cache internet content making the browsing experience much faster.

    Regards.
    thanks!

  6. #5
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6
    Quote Originally Posted by dancudds
    You can't use the NTLM modules when transparently proxying. The client machine just won't be expecting a 407 from the gateway.
    Still get the internal ip though.
    Hmm... in your opinion, is there a better alternative?

  7. #6
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6
    Is there a need for policy here?

  8. #7
    Just Joined!
    Join Date
    Mar 2007
    Posts
    17
    Quote Originally Posted by kitkit80
    Hmm... in your opinion, is there a better alternative?
    A bluecoat box is able to pick up the ad name transparently. Must use the ip address or something fancy.

    Another thing to note is that transparent proxying doesn't work with https traffic. Reason is there's nothing different from a proxy in the middle to a man in the middle attack!

    Now, from what I've been told Bluecoat boxes can also transparent proxy https traffic, and get this - it can scan the traffic.
    I don't know for sure but I've been told that Bluecoat got into bed with verisign and it spoofs the server and client certificates!

    P.s. I don't work for, nor support Bluecoats!

  9. #8
    Just Joined!
    Join Date
    Mar 2007
    Posts
    17
    Quote Originally Posted by kitkit80
    Is there a need for policy here?
    Here's what I would do.
    Have a GPO or something to get the user's browsers to go to your internal proxy. Transparent is messy and this way you can exception local addresses from using the proxy. A PAC file is best.

    Next configure you squid to auth with an NTLM challenge and only allow the SAFEPORTS of 80/443.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •