EFW Support

Support => EFW SMTP, HTTP, SIP, FTP Proxy Support => Topic started by: konung on Tuesday 18 January 2011, 04:43:22 am



Title: Can't force users to use proxy.
Post by: konung on Tuesday 18 January 2011, 04:43:22 am
Hello.

We are testing Endian Community version before buying an actual device, and it works fine. I'm just having an issue with the http proxy.

I set it up and it works ok , but only if I manually point the client to the proxy ( whether firefox, chrome or IE). Active Directory authentication seems to work fine. Takes LDAP password and username and authenticates against the group that has Internet Access.

My only problem - I can't force clients to use the proxy unless I manually set it up. I have over 100 client devices, so setting all of them manually is not an option. Also even if I did, some of the users a computer savvy enough to go into Internet Options on IE or Options on Firefox and just disable proxy settings.  A lot of those users have to have admin rights on their computers ( some custom software requires it, and some users a programmers and this need admin rights on the computer as well)

I tried to setup WAPD as described here kb.endian.com/entry/22/, but it doesn't seem to work. Non of the client machines pick up the settings from the wapd.dat file:


Code:
function FindProxyForURL(url, host)
{
        if (isPlainHostName(host) || shExpMatch( url, "*192.168.1.1*" ) ) {
                return "DIRECT";
        }
        else if (host == "127.0.0.1") {
                return "DIRECT";
        }
        else if (isInNet(host, "192.168.1.0", "255.255.255.0") {
                return "PROXY 192.168.1.1:8080; DIRECT";
        }
        else {
                return "PROXY 192.168.1.1:8080; DIRECT";
        }
}


My DNS and DHCP run on a Windows 2003 ( where my AD is).

Does anyone have any suggestions, please?


I really like endian and want to stick with it rather than go to stupid sonicwall ( which is what my management is pressuring me into). So this feature - user web usage tracking is critical for us.



Thank you


Title: Re: Can't force users to use proxy.
Post by: konung on Wednesday 19 January 2011, 02:46:56 am
Ok For  anyone else stuck with the same problem, I have a solution. I just wish it was mentioned anywhere in the docs so I wouldn't waste 3 days trying to come to this conclusion.
I thought there is some sort of magic redirection done on the firewall - nothing like this. If you want users to force to use proxy - you have to block outgoing traffic on port 80. Then either do a GPO to distribute proxy settings, and for those who insist on using Firefox - you can check to use "System Settings" in the proxy menu. This way - if they want connection to the internet - they have to use proxy, otherwise - tough luck.  Now here is the conundrum - let's say you have users or system accounts that need to get out to the internet on download something - such a schedule script. Well you can say that only certain user-agents get checked by your filtering policy. Here is my setup and solution. This is for the main corporate network.

IPs in the range 192.168.1.1-60 and 192.168.1.200-254 are static and reserved for use by servers, switches, PPTP. That means any script / service that runs on any of the servers ( both windows & linux) doesn't get stopped by outgoing firewall and doesn't need to authenticate against the proxy.

On my out going firewall I only block port 80 for dynamic ips in the range of 192.168.1.61-192.168.1.199 - These are the dynamic ips that are distributed by my DHCP server ( Windows 2003) to clients.  They have to use proxy if the want internet. I setup LDAP authentication against my Active Directory, so I can track usage, based on the username.

So my green interface has non-transperant proxy for authentication, and my blue interface ( it has all my vlan's) has transparent one.


Hope this helps someone.