+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Internet Related/Filtering/Firewall Thread, Using TMG Server as a Transparent Proxy in Technical; I am trying to set up a Microsoft TMG server to act as a transparent proxy on our network. Basically ...
  1. #1

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14

    Using TMG Server as a Transparent Proxy

    I am trying to set up a Microsoft TMG server to act as a transparent proxy on our network.

    Basically I want to remove the need for the proxy setting in clients' browsers by setting the TMG server as our default gateway, then forwarding all requrests to our ISPs proxy. This is so people with mobile phones and other non-windows devices can get internet access without configuring a proxy (which depending on the device may not be possible).

    My first question is, is this possible? Is so, how is it best done?

    So far I have got a TMG server doing this role in a test environment. However, as well as setting the client's default gatewat to the internal IP address of the TMG server, it also has to be entered in the proxy address. This is the setting I need to be able to remove.

    Does anyone have any suggestions on this?

  2. #2
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,194
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    We got it working by making the TMG server the default gateway - only problem is you then loose the ablity to do user level web filtering

    So at the moment we have a kinda hybrid enviroment where there is a VLAN for our student WiFi which points at the transparent proxy (using the default gateway of the TMG server) and then our domain joined machines use proxy settings applied by GPO.

  3. #3

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Quote Originally Posted by jamesfed View Post
    We got it working by making the TMG server the default gateway - only problem is you then loose the ablity to do user level web filtering

    So at the moment we have a kinda hybrid enviroment where there is a VLAN for our student WiFi which points at the transparent proxy (using the default gateway of the TMG server) and then our domain joined machines use proxy settings applied by GPO.
    Excellent. Any chance you could talk me through the basic setup? I'm not worried about user level filtering. All users will use go through the same upstream proxy and filtering will be controlled by web-based logins.

    In particular, how did you get all web requests to forward to your updtream proxy without having to enter your TMG server as the client proxy?

  4. #4
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,194
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Here we basicly have TMG 2010 running inside a Virtual Machine - one network point is dedicated to traffic to our edge switch, one to our domain joined network and a 3rd network point for our Student WiFi VLAN.

    Our Wireless is setup so that anyone joining our student WiFi SSID gets pointed onto the VLAN and part of the WiFi software also runs a DHCP server to which the default gateway is set as the 3rd nic on the TMG server (this way anyone joining that SSID gets pointed right at the TMG server).

    For upstream proxy on your TMG server go to Networks > Web Chaining and create a new web chain rule.
    Set the action as Redirect them to a specified upstream server and in the settings put the details for your upstream server.
    Then in Network Rules make sure the Internet Access rule for your assinged IP address range for your WiFi clients is set to Route instead of NAT.

  5. #5

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Quote Originally Posted by jamesfed View Post
    Here we basicly have TMG 2010 running inside a Virtual Machine - one network point is dedicated to traffic to our edge switch, one to our domain joined network and a 3rd network point for our Student WiFi VLAN.

    Our Wireless is setup so that anyone joining our student WiFi SSID gets pointed onto the VLAN and part of the WiFi software also runs a DHCP server to which the default gateway is set as the 3rd nic on the TMG server (this way anyone joining that SSID gets pointed right at the TMG server).

    For upstream proxy on your TMG server go to Networks > Web Chaining and create a new web chain rule.
    Set the action as Redirect them to a specified upstream server and in the settings put the details for your upstream server.
    Then in Network Rules make sure the Internet Access rule for your assinged IP address range for your WiFi clients is set to Route instead of NAT.
    Strange - still not working here. Again, it works if you enter the TMG server as the client's proxy but not without. I'll keep experimenting though.

  6. #6
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,194
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    What is your upstream proxy based upon? Squid?

  7. #7

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Quote Originally Posted by jamesfed View Post
    What is your upstream proxy based upon? Squid?
    I think it probably is Squid. It's the SWGfL proxy, whatever that uses. Does this make a difference?

  8. #8
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,194
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Quote Originally Posted by jwood View Post
    I think it probably is Squid. It's the SWGfL proxy, whatever that uses. Does this make a difference?
    Very much so - Squid totaly runins TMGs transparent proxy ablity (we found it out ourselves).
    Theres a solution here though but it costs - SecureNAT client Guest Access

  9. #9

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Quote Originally Posted by jamesfed View Post
    Very much so - Squid totaly runins TMGs transparent proxy ablity (we found it out ourselves).
    Theres a solution here though but it costs - SecureNAT client Guest Access
    Oh dear.

  10. #10
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,194
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Yeah its a total pain - we had a kick and scream at the LEA trying to get them to get us to bypass their Squid filter but then in the end just coughed up the cash.
    Give the trial version a go with the script on the site to see if its the same problem though!

  11. #11

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    James, another quick question if you don't mind. We've made some progress on this by using pfsense and squid to create a transparent proxy. Everything seems to work for http requests, but not for ssl sites. Have you experienced anything similar to this and were you able get around it? Thanks

  12. #12
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,194
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Quote Originally Posted by jwood View Post
    James, another quick question if you don't mind. We've made some progress on this by using pfsense and squid to create a transparent proxy. Everything seems to work for http requests, but not for ssl sites. Have you experienced anything similar to this and were you able get around it? Thanks
    SSL all appears to be working fine for us - are you using HTTPS inspection at all?

  13. #13

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    No we're not. Worringly, I have read elsewhere that "transparent proxying of SSL traffic cannot be done".

  14. #14


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Transparent proxying for HTTPS cannot *usually* be done. This is because the traffic is ciphertext by the time it hits the tproxy, so the proxy doesn't know where the traffic is headed.

    There are a couple of ways round this.. and of course your proxy needs to support them:

    1) Reverse DNS - look up the IP and see if it has a reverse dns entry, and block based on that
    - this is slow, but it works for all connections. It gives only domain blocking. It is unreliable, as many sites have no, or incorrect reverse DNS (incorrect in that it wouldn't give us the info we want, it is probably perfectly correct to the site owner!)
    doing MITM off reverse dns is probably mad. AFAIK websense support this?

    2) SNI
    Modern browsers support the SNI extension which includes the destination domain as cleartext.
    - this is fast and reliable, but it needs support from the browser. Notable absentee is any version of IE on XP. Most browsers work ok vista and above. You only get domain level blocking (not URL) but you can do MITM and get URL/contnet blocking. Smoothwall Guardian3 supports this.

  15. #15

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    James, thanks for your help with this one. We're now running TMG server with ISA script as a transparent proxy. Everything seems fine, including access to HTTPS sites.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Using a webcam as a CCTV.
    By Midget in forum Hardware
    Replies: 7
    Last Post: 13th September 2013, 07:49 AM
  2. ISA server as a transparent proxy
    By FN-GM in forum Wireless Networks
    Replies: 30
    Last Post: 25th February 2008, 04:33 PM
  3. Using old machine as Print Server
    By SimpleSi in forum *nix
    Replies: 9
    Last Post: 22nd September 2006, 04:51 PM
  4. Using Windows Defender as Antispyware on a domain
    By Geoff in forum How do you do....it?
    Replies: 8
    Last Post: 11th April 2006, 01:57 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •