Just thinking about this if I go into transparent mode I will then loose all the groups that have been setup through AD authentication and then loose the filter groups that have been setup as these are based on AD group membership.
Effectively this will drop the whole back to just a single level, single filter policy proxy, am I thinking correctly on this?
Now I remember why I hadn't set this up now
If you think it through, if the client thinks there is no proxy there (transparent) it isn't going to pass the auth to it. Hence, Smoothie thinks it's a stoopid setup and won't let you do it.
What the clever people at Smoothwall should do, is allow you to turn transparent proxy on for a particular port and assign a filetering policy to transparent traffic. Nudge nudge wink wink guys!
EDIT - Of course, you could just turn on the transparent proxy feature that the BlueSecure unit has... you'll find that in the role settings Oz
Last edited by Ric_; 12th November 2009 at 11:16 AM.
I second that !
Hmm will have to stay with the way it is at the moment then and not allow web access via wireless.
Hmm me thinks I could possible allow a loopback via the bluesocket to our SSL VPN and get the students to logon to one of our Terminal Services boxes and get access that way, long winded yes but if they really need access I geuess they will use it.
^^ You snook that post in during my edit
looking at the bluesocket now, i think i did already try it on there and it would not work but let me give it a go.
The problem with multiple authentication methods is that it's passed (AIUI anyway) from the guardian process to Squid, using whatever methods are available on squid.Originally Posted by Ric_
Now I remember why I hadn't set this up now
If you think it through, if the client thinks there is no proxy there (transparent) it isn't going to pass the auth to it. Hence, Smoothie thinks it's a stoopid setup and won't let you do it.
What the clever people at Smoothwall should do, is allow you to turn transparent proxy on for a particular port and assign a filetering policy to transparent traffic. Nudge nudge wink wink guys!
EDIT - Of course, you could just turn on the transparent proxy feature that the BlueSecure unit has... you'll find that in the role settings Oz
Using multiple methods would need another instance of squid which may put too high a load on the system and would be quite complex to set up.
Nope did not work.
Put BlueSocket into transparent mode on the guests role (the user I am using does go into theis role) and left the smoothie as it is, no go on the web.
@ICTNUT: Did you tick the 'Perform transparent proxy request translation on the BSC.' box?
Yes I did
@ICTNUT: So is it simply not working or are you getting a denied page off of Smoothie? (If so, what does it say?)
Right update:
I have setup one of the laptops to use the proxy.pac that smoothie has and I now have a valid block page coming from the smoothie when trying to access msn.
I would expect this to happen as the smoothie does not know what the unit it so it places it into the unauthenticated IPs group.
This group by default has a global block on it as we have found that if you install chrome or firefox you could surf the web unfiltered
So my next challenge is to try and get filtering to work, but it looks like we maybe moving forward.
Few quick updates:
Ric: you're correct - doing auth in transparent mode is impossible - for mere mortal beings. Of course we can do it (yes it is a nasty trick, and only works with ntlm so far)
Dave: you're right about the evils of squid and auth - thats why in FP5 (Summer '10) the all-new version of guardian will take over auth duty from squid, allowing all sorts of multi auth fun.
Of course you guys will all get these upgrades as standard.
you heard it here first
ok so the proxy.pac file did not work after all, was just me being a little too eager
I guess there is no way to get this to work will have to reside to the fact that kids just can't surf the webvia wireless.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
