Koozali.org: home of the SME Server
		Obsolete Releases => SME 7.x Contribs => Topic started by: Ptah on September 06, 2007, 03:36:55 PM
		
			
			- 
				Hi All.
 
 I have now spent two days going through forums, how to's, faq's etc. etc. and still struggling with Dansguardian on my SME server.
 
 I run SME Server  7.2 in Gateway mode with DansGuardian 2.9.8.0 installed and running. I followed all the instructions as per here:
 
 http://smemirror.fullnet.co.uk/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm (http://smemirror.fullnet.co.uk/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm)
 
 and in the wiki.contrib.org/Dansguardian (these are actually the same set of instructions) .
 
 I got it up and running but when I try visiting the URL's I blocked then nothing happens. Maybe I should add that I tried the following proxy settings:
 
 config setprop squid TransparentPort 8080
 config setprop dansguardian portblocking yes
 signal-event post-upgrade; signal-event reboot
 
 but when the server came up again I had absolutely no Internet access so I issued the following
 
 config delprop squid TransparentPort 3128
 config delprop dansguardian portblocking
 signal-event post-upgrade; signal-event reboot
 
 And everything was fine again.
 
 I am pretty sure I might have left some crucial step out as I am fairly new at Linux and SME server. I managed to setup the entire emailing system and that all works beautifully, but now the content filtering is giving me a headache.
 
 I know you boffins probably helped countless people with this already and I missed this somewhere. Please help.
 
 Thanks in advance.
 
 I am sure I didn't loose my mind... I know exactly where I left it 
- 
				Ptah
 
 The Wiki is more up to date, so use that in preference (as stated quite clearly at the top of the old Howto)
 
 ie IMPORTANT - PLEASE SEE MORE RECENT VERSION AT
 http://wiki.contribs.org/Dansguardian
 
 
  I tried the following proxy settings:
 config setprop squid TransparentPort 8080
 config setprop dansguardian portblocking yes
 signal-event post-upgrade; signal-event reboot
 
 
 You can't just try those settings and then undo the config when it appears not to work.
 Those settings ARE required for Dansguardian to work appropriately on sme server.
 
 
 I had absolutely no Internet access so I issued the following  
 That's probably because you did not set your browser proxy setting correctly, or you did not restart dansguardian after making config changes, or perhaps you made some config changes in dansguardian which actually blocked your access, so therefore dansguardian was just doing it's job.
 
 I suggest you read the wiki instructions very carefully again, and don't undo settings because you think it's a good idea.
 If it doesn't work, then you have missed doing something.
 
 Follow all the steps and it should work. I suggest you make no additional dansguardian confg changes initially (other than the basic ones referred to) so that you don't complicate troubleshooting. Get the basics working and then make more extensive blocking rules later.
 
- 
				just been trying this, and i can't make it work such that the proxy is picked up automatically.  I am reasonably sure that the reason is that I am running the SME in Server mode, not server-gateway, consequently the "auto detect proxy settings" in IE does not even see the server, as the gateway IP is set to the router on the LAN.
 
 I can only make it work by either specifying the proxy server specifically, OR by specifying "http://<serverip>/proxy.pac" in the  "automatic configuration script field of the IE internet connection parameters.
 
 If my analysis is correct, then perhaps an addition could be made to the wiki.  I am still pursuing whether I can lock down the proxy connection settings in IE.
 
 
- 
				brianr
 
 I am still pursuing whether I can lock down the proxy connection settings in IE. 
 Answered here
 http://wiki.contribs.org/Dansguardian#Using_Group_Policy_Editor_to_force_proxy_port_setting_on_workstations
 
- 
				brianr
 
 Answered here
 http://wiki.contribs.org/Dansguardian#Using_Group_Policy_Editor_to_force_proxy_port_setting_on_workstations
 
 
 
 My experience so far is that this does not seem to work if the user has administrative rights.
- 
				brianr
 
 My experience so far is that this does not seem to work if the user has administrative rights.
 
 
 What does "not seem to work" mean.
 If you set appropriate group policy rights using gpedit.msc, then for example certain menus in Internet Explorer are missing, including for the Administrator.
 Now of course someone with Administrator rights could go into gpedit.msc and remove the restriction on seeing the IE menu where you can change the proxy server details, so of course in that case the user can work around the proxy server settings restrictions, by for example changing the proxy port to 3128 and bypassing dansguardian.
 
 It's obvious not to give users Administrator access if you don't want them to have the ability to change settings.
 
 
 If you have done
 config setprop squid TransparentPort 8080
 and
 config setprop dansguardian portblocking yes
 
 then Auto detect proxy settings will find & use port 8080, and the portblocking setting will stop access via port 3128 or 80, so have you set those ?
 
 
 If you are using group filtering with pam auth and you have done
 
 config setprop squid Transparent no
 
 then the poxy port will only be available on port 8080, and all browsers will need to be set to port 8080 in order to access the Internet. Even if users change that port, it only means they will have no Internet access at all.
 
 In either case, I'm not sure I see what your problem is ie does "not seem to work".
 
- 
				brianr
 
 What does "not seem to work" mean.
 
 
 
 I means that I use gpedit to "fix" the internet proxy parameters as per your instructions, but when i go back to the internet controls, they are still changeable (i expected them to be greyed out).  I've been through this a couple of times in the past, and tried it again yesterday.
 
 I also have the correct config settings as per your howto.
 
 [root@millbrookserver ~]# config show dansguardian
 dansguardian=service
 portblocking=yes
 status=enabled
 [root@millbrookserver ~]# config show squid
 squid=service
 EnforceSafePorts=no
 SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
 TCPPort=3128
 TCPProxyPort=80:3128
 TransparentPort=8080
 access=private
 status=enabled
 [root@millbrookserver ~]#
 
 
 I can get to the PC in question to try things if you have any ideas.
- 
				brianr
 
 I means that I use gpedit to "fix" the internet proxy parameters as per your instructions 
 I think you mean as per tropicalview's instructions in the forum ?
 
 
 I don't use that, I remove access to the menu entirely ie
 gpedit
 Local Computer Policy
 User Configuration
 Administrative Templates
 Windows Components
 Internet Explorer
 Disable changing connection settings.
 
 
- 
				brianr
 I think you mean as per tropicalview's instructions in the forum ?
 
 
 Sorry, i guess I do.
 
 
 I don't use that, I remove access to the menu entirely ie
 gpedit
 User Configuration
 Administrative Templates
 Internet Explorer
 Disable changing connection settings.
 
 
 aha - yes, that works fine.  Should we change the howto? (although there is a missing stage - "Windows components" between AT and IE.
 
 A secondary question - I also indicated above that in "server" mode the "Detect proxy settings" does not enable the proxy.  does this fit in with your experience?
 
 If so, i think the howto should also say that.
 
- 
				brianr
 
 I added my method to the Howto.
 
  A secondary question - I also indicated above that in "server" mode the "Detect proxy settings" does not enable the proxy.  does this fit in with your experience? 
 I don't use Dansguardian in server only mode.
 It would seem obvious to me though, that as the sme server is not acting as the proxy gateway, then there will be issues with making & using those settings.
 
 A note to the effect that this Howto applies to server gateway configurations would be appropriate, but I have not tested the possible ramifications in that mode. I'll look for the most appropriate spot to add this to the Howto.
 Edit -
 Added here
 http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing