Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: ASPerience on October 13, 2009, 11:23:36 AM
-
Hi everyone,
I need to do some changes on the network of a client.
They currently use a SME 7.4 server as a gateway + transparent proxy.
They recently told us to install another proxy, which could authenticate users and could be easily configured.
So I decided to install a pfSense based proxy.
I have a problem now. How to force user to use the authenticating proxy ?
Can I :
- Block outgoing HTTP / HTTPS traffic for some private IP ? If so, how ?
- Redirect all requests to my authenticating proxy ? If so, how ?
Thanks in advance for you rhelp.
Regards,
-
mmhh..
then you change SME mode from server & gateway to server-only?
I don't know how pfsense can auth users, but I think it should support NT one..
-
I don't want to change SME operating mode. Their are some OpenVPN access on it and I d'ont want to change this part of configuration.
Proxy address will be statically configured on client computers. I just want to be sure that a user can't disable proxy (if he knows how to do so) and use the SME routing functions.
-
I don't want to change SME operating mode. Their are some OpenVPN access on it and I d'ont want to change this part of configuration.
you don't need to change anything on SME.. you'll use pfsense as firewall and so forward needed ports to internal SME
Proxy address will be statically configured on client computers. I just want to be sure that a user can't disable proxy (if he knows how to do so)
it's not a SME issue but a windows (or whatever O.S. you use on your clients) one.. you can fix it via local policy (on each client) or with poledit (search forums for it); note: poledit won't work with vista/w7 and with linux.. and, of course, clients must be joined to domain
and use the SME routing functions.
define "routing functions" please..
again:
- install pfsense and use it as your default GW
- change SME to server-only mode
- forward (on pfsense) all needed ports to SME
- on client pc, use pfsense as default GW/proxy
- set up proxy on pfsense to use NT auth (if supported) and use SME domain users..
my 2c
-
Ok, I will detail a few things.
I don't want to change server's configuration. On top of SME, there's is a vmware virtual machine (a Windows 2008 server with some Sage software) which I don't want to shutdown. I want to avoid any dowtime, so I don't any reboot at this time. I could reconsider it later, but, by now, it's not possible.
There is no NT domain on that network (there are only 13 clients).
I'm just looking for a way to block outgoing tcp traffic on ports 80 and 443 for some IP (actually a network except a whitelist of IP).
If that's not currently possible, I'll try to find a workaround.
-
ASPerience
I'm just looking for a way to block outgoing tcp traffic on ports 80 and 443 for some IP
Read the FAQ, see the Firewall section re blocking outgoing ports and also section re controlling access to the proxy. Maybe they will answer your needs, let us know.
-
ASPerience
See http://wiki.contribs.org/Dansguardian
Read the Auth proxy login sections eg ident, for usage ideas
Maybe you could use Dansguardian to do the job using the sme squid proxy instead of pfsense
For fancy GUI panels use the Dungog commercial version, check the dungog site for details