EFW as content filter in front of ISA NTLM auth proxy

[Guest]

[wreg]

Hello,

The situation is as follows. My company has an ISA proxy situated in germany. I have no control over this proxy and no changes will be made to it at my request.

Since my boss thinks this proxy doesn't quite filter enough, and we're forced by company policy to use the connection over germany (and hence this proxy as well) I need to setup an extra content filter in front of this ISA box.

I've been toying with EFW to get this done but have, so far, been quite unsuccesful. If I set up EFW as authenticated proxy I cannot forward the NTLM authentication to ISA. If I set up squid as transparent and configure the ISA box in config script, squid doesn't filter anything anymore, and I'm not quite sure why. I have thought of a  of possible causes.

1. Transparent squid is listening on port 80 while http requests are forwarded to ISA on 81.
2. Transparent squid is unable to filter the url from the proxy request made to isa.
3. Squid couldn't care less about filtering since the request is actually made to an internal server (isa) and hence shouldn't be blocked.

Case 1: how do I get transparent squid to listen and filter on 81 as if it were 80?
Case 2 and 3: how do I force squid to filter the proxy requests made to the isa server and block inappropriate url's??

Case I have it all wrong:
please enlighten me. I really feel like I'm missing some basic know-how to properly solve this :/


Thanks in advance,
Wim

[Steve]

If Endian is sitting between the ISA server and the Internet connection, why would you want to use Authentication?
Wouldn't you just set up Endian as being the Gateway for the ISA server?

[wreg]

Yes. That's what I did.

Clients get endian as gateway. If I go outside from there all is well and it works as intended.

If I configure the proxy configuration script in the client's browsers endian no longer filters anything. I think because all traffic is now intended for the german proxy, and no longer for the internet.

My ACL obviously doesn't block traffic to this german proxy, and since the browers are sending requests to this german proxy, they can pass.

Well, I think that's what's wrong, I'm not really sure...


I've set up an isa as proxy with a very tight content filter and the german isa as parent cache and my local box forwarding ntlm auth from the clients to the german isa. Works fine...

But I'd like to do the same thing with squid, or at least something that has the same result.

[Steve]

Yes. That's what I did.
Clients get endian as gateway. If I go outside from there all is well and it works as intended.
...
...

Why don't you leave the clients as they were before - (ISA as gateway) but set the ISA server to use Endian as it's Gateway.

Clients --->> ISA Server --->> Endian --->> Internet