Topic: Use of external proxy

[ASPerience]

Hi everyone,

I need to do some changes on the network of a client.
They currently use a SME 7.4 server as a gateway + transparent proxy.

They recently told us to install another proxy, which could authenticate users and could be easily configured.

So I decided to install a pfSense based proxy.

I have a problem now. How to force user to use the authenticating proxy ?

Can I :

 - Block outgoing HTTP / HTTPS traffic for some private IP ? If so, how ?
 - Redirect all requests to my authenticating proxy ? If so, how ?

Thanks in advance for you rhelp.

Regards,

[Stefano]

mmhh..

then you change SME mode from server & gateway to server-only?

I don't know how pfsense can auth users, but I think it should support NT one..

[ASPerience]

I don't want to change SME operating mode. Their are some OpenVPN access on it and I d'ont want to change this part of configuration.

Proxy address will be statically configured on client computers. I just want to be sure that a user can't disable proxy (if he knows how to do so) and use the SME routing functions.

[Stefano]

I don't want to change SME operating mode. Their are some OpenVPN access on it and I d'ont want to change this part of configuration.

you don't need to change anything on SME.. you'll use pfsense as firewall and so forward needed ports to internal SME

Proxy address will be statically configured on client computers. I just want to be sure that a user can't disable proxy (if he knows how to do so)

it's not a SME issue but a windows (or whatever O.S. you use on your clients) one.. you can fix it via local policy (on each client) or with poledit (search forums for it); note: poledit won't work with vista/w7 and with linux.. and, of course, clients must be joined to domain

and use the SME routing functions.

define "routing functions" please..

again:
- install pfsense and use it as your default GW
- change SME to server-only mode
- forward (on pfsense) all needed ports to SME
- on client pc, use pfsense as default GW/proxy
- set up proxy on pfsense to use NT auth (if supported) and use SME domain users..

my 2c

[ASPerience]

Ok, I will detail a few things.

I don't want to change server's configuration. On top of SME, there's is a vmware virtual machine (a Windows 2008 server with some Sage software) which I don't want to shutdown. I want to avoid any dowtime, so I don't any reboot at this time. I could reconsider it later, but, by now, it's not possible.

There is no NT domain on that network (there are only 13 clients).

I'm just looking for a way to block outgoing tcp traffic on ports 80 and 443 for some IP (actually a network except a whitelist of IP).

If that's not currently possible, I'll try to find a workaround.

[janet]

ASPerience

I'm just looking for a way to block outgoing tcp traffic on ports 80 and 443 for some IP

Read the FAQ, see the Firewall section re blocking outgoing ports and also section re controlling access to the proxy. Maybe they will answer your needs, let us know.

[janet]

ASPerience

See http://wiki.contribs.org/Dansguardian
Read the Auth proxy login sections eg ident, for usage ideas

Maybe you could use Dansguardian to do the job using the sme squid proxy instead of pfsense
For fancy GUI panels use the Dungog commercial version, check the dungog site for details