I have an interesting problem that I am sure can be solved by the ASL guru's around... Here is what we want:
Half of our users are using HTTP Proxy on port 8080 Others are going through NAT to avoid Surf protection filters. I dont have Cobion License so I am using SQUIDGUARD URL based filtering that only applies on HTTP proxy. As gert mensioned in his Content Filtering Tutorial that one way is to use Transparent Proxy:: but can't do that since half of our users are already configured to use proxy on port 8080
WHAT I REALLY NEED IS A WAY TO ROUTE ALL THE HTTP TRAFFIC THROUGH NAT TO BE FORWARDED TO HTTP PROXY
This is easily done in IPTables/IPChains but I don't want to edit any Files since that voids our warranty of ASL 5.101
Quick input.. If your clients are Windows boxs, why not use AD policy or logon scripts to change/remove the proxy settings for the users on normal proxy. If it's interresting, I'll write more details.
In Active Directory you can manage a clients browser proxy settings. This only works for Internte Explorer.
In the GPO go to :
User configuration
Then windows settings. You should see a Internet Explorer Maintanence option.
In that option you should see connection. And in connection you should see proxy settings.
You can manually set the proxy settings there. If you want to make a automatic proxy script such as a .PAC file and assign it to specific users, select automatic browser configuration and enter the address of the internal webserver that is hosting the .PAC file.
You could also do a cgi script that would assign proxy settings based on user name. You could also assign proxy settings through DNS or DHCP. The DNS option is not as secure. But as you can see there are a whole lot of options to configure your clients browsers.
If you need info on proxy scripts like cgi or .PAC I will be happy to help.
Thanks to Xeno's instructions, I have changed my proxy from Standard to Transparent and Added Packet Filter Rules allowing connection to port 8080. I have also added an Allowed Target Service "SQUID" in the cache settings.
Log initial packets: not checked
Automatic Firewall rule: checked
Add Port 8080 to "Allowed Target Services" in Web Security/Web Filtering/Advanced
The destination Webserver is running on Port 8080. But when i visiting the destination webserver i become a mesage from my ASG >An error occured while handling you request.... Error Message: Received invalid request from Client
If HTTP Proxy is in transparent mode, port 8080 still is working for manually configured browsers. Transparent mode is just an addition to standard mode. In transparent mode you still have the full functionality of standard mode. Only thing which is missing in transparent mode is the possibility to change the port (8080).
Task:
In Transparent mode, the HTTP proxy will handle all traffic passing the firewall on port 80. In this mode, the clients do not need to enter the HTTP proxy in their browser configuration. Please note that the proxy cannot handle FTP and HTTPS (secure) requests in this mode. If your clients want to access such services, you must open the respective ports (21 and 443) in the packet filter or add the HTTP proxy in the client's browser configuration manually.
There is only one difference between standard mode and transparent mode. The difference is a "REDIRECT" rule in the netfilter framework of Astaro. The Netfilter Framework of Astaro is iptables.
This rule only matches port 80. So only packets on port 80 can be processed by HTTP Proxy in transparent mode. Accessing a webserver which listens on port 8080 or port 8000 for instance is not possible in transparent mode by default.
To also access uncommon ports in transparent mode a trick can be done. The trick is to add a nifty DNAT rule:
Assume a webserver on port 8000 have to be reachable even if using HTTP Proxy in transparent mode:
1)
Goto Webadmin >> Network >> NAT/Masqurading.
Rule Type: DNAT/SNAT
Source address: internal (Network)
Destination address: Any
Service: port 8000
Change Source to: :: No change ::
Change Destination to: Internal (Address)
Service destination: SQUID (8080)
2)
Then goto Webadmin >> Proxies >> HTTP
Add Port 8000 to "Allowed Target Services".
This can be done with every other port. The trick is not restricted to port 8000.
Note: This does not work for HTTPS (port 443) or FTP (21/20).
be careful playing around with port 8000. At least in germany port 8000 is getting very important for many companies, since "Elster" (the electronic tax declaration) is using port 8000. So if you are redirecting port 8000, you may get trouble when your financial guys are asking for a route to the tax department.
This thread is almost seven years old - and squid is no longer used. In any case, even in 2005, your SNAT would not have worked. Please say what you're trying to accomplish.
Cheers - Bob
Sorry for any short responses! Posted from my iPhone.
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Quote