Using TMG Server as a Transparent Proxy

[AnnDroyd]

I am trying to set up a Microsoft TMG server to act as a transparent proxy on our network.

Basically I want to remove the need for the proxy setting in clients' browsers by setting the TMG server as our default gateway, then forwarding all requrests to our ISPs proxy. This is so people with mobile phones and other non-windows devices can get internet access without configuring a proxy (which depending on the device may not be possible).

My first question is, is this possible? Is so, how is it best done?

So far I have got a TMG server doing this role in a test environment. However, as well as setting the client's default gatewat to the internal IP address of the TMG server, it also has to be entered in the proxy address. This is the setting I need to be able to remove.

Does anyone have any suggestions on this?

[jamesfed]

We got it working by making the TMG server the default gateway - only problem is you then loose the ablity to do user level web filtering

So at the moment we have a kinda hybrid enviroment where there is a VLAN for our student WiFi which points at the transparent proxy (using the default gateway of the TMG server) and then our domain joined machines use proxy settings applied by GPO.

[AnnDroyd]

We got it working by making the TMG server the default gateway - only problem is you then loose the ablity to do user level web filtering

So at the moment we have a kinda hybrid enviroment where there is a VLAN for our student WiFi which points at the transparent proxy (using the default gateway of the TMG server) and then our domain joined machines use proxy settings applied by GPO.

Excellent. Any chance you could talk me through the basic setup? I'm not worried about user level filtering. All users will use go through the same upstream proxy and filtering will be controlled by web-based logins.

In particular, how did you get all web requests to forward to your updtream proxy without having to enter your TMG server as the client proxy?

[jamesfed]

Here we basicly have TMG 2010 running inside a Virtual Machine - one network point is dedicated to traffic to our edge switch, one to our domain joined network and a 3rd network point for our Student WiFi VLAN.

Our Wireless is setup so that anyone joining our student WiFi SSID gets pointed onto the VLAN and part of the WiFi software also runs a DHCP server to which the default gateway is set as the 3rd nic on the TMG server (this way anyone joining that SSID gets pointed right at the TMG server).

For upstream proxy on your TMG server go to Networks > Web Chaining and create a new web chain rule.
Set the action as Redirect them to a specified upstream server and in the settings put the details for your upstream server.
Then in Network Rules make sure the Internet Access rule for your assinged IP address range for your WiFi clients is set to Route instead of NAT.

[AnnDroyd]

Here we basicly have TMG 2010 running inside a Virtual Machine - one network point is dedicated to traffic to our edge switch, one to our domain joined network and a 3rd network point for our Student WiFi VLAN.

Our Wireless is setup so that anyone joining our student WiFi SSID gets pointed onto the VLAN and part of the WiFi software also runs a DHCP server to which the default gateway is set as the 3rd nic on the TMG server (this way anyone joining that SSID gets pointed right at the TMG server).

For upstream proxy on your TMG server go to Networks > Web Chaining and create a new web chain rule.
Set the action as Redirect them to a specified upstream server and in the settings put the details for your upstream server.
Then in Network Rules make sure the Internet Access rule for your assinged IP address range for your WiFi clients is set to Route instead of NAT.

Strange - still not working here. Again, it works if you enter the TMG server as the client's proxy but not without. I'll keep experimenting though.

[jamesfed]

What is your upstream proxy based upon? Squid?

[AnnDroyd]

What is your upstream proxy based upon? Squid?

I think it probably is Squid. It's the SWGfL proxy, whatever that uses. Does this make a difference?

[jamesfed]

I think it probably is Squid. It's the SWGfL proxy, whatever that uses. Does this make a difference?

Very much so - Squid totaly runins TMGs transparent proxy ablity (we found it out ourselves).
Theres a solution here though but it costs - SecureNAT client Guest Access

[AnnDroyd]

Very much so - Squid totaly runins TMGs transparent proxy ablity (we found it out ourselves).
Theres a solution here though but it costs - SecureNAT client Guest Access

Oh dear.

[jamesfed]

Yeah its a total pain - we had a kick and scream at the LEA trying to get them to get us to bypass their Squid filter but then in the end just coughed up the cash.
Give the trial version a go with the script on the site to see if its the same problem though!

[AnnDroyd]

James, another quick question if you don't mind. We've made some progress on this by using pfsense and squid to create a transparent proxy. Everything seems to work for http requests, but not for ssl sites. Have you experienced anything similar to this and were you able get around it? Thanks

[jamesfed]

James, another quick question if you don't mind. We've made some progress on this by using pfsense and squid to create a transparent proxy. Everything seems to work for http requests, but not for ssl sites. Have you experienced anything similar to this and were you able get around it? Thanks

SSL all appears to be working fine for us - are you using HTTPS inspection at all?

[AnnDroyd]

No we're not. Worringly, I have read elsewhere that "transparent proxying of SSL traffic cannot be done".

[tom_newton]

Transparent proxying for HTTPS cannot *usually* be done. This is because the traffic is ciphertext by the time it hits the tproxy, so the proxy doesn't know where the traffic is headed.

There are a couple of ways round this.. and of course your proxy needs to support them:

1) Reverse DNS - look up the IP and see if it has a reverse dns entry, and block based on that
- this is slow, but it works for all connections. It gives only domain blocking. It is unreliable, as many sites have no, or incorrect reverse DNS (incorrect in that it wouldn't give us the info we want, it is probably perfectly correct to the site owner!)
doing MITM off reverse dns is probably mad. AFAIK websense support this?

2) SNI
Modern browsers support the SNI extension which includes the destination domain as cleartext.
- this is fast and reliable, but it needs support from the browser. Notable absentee is any version of IE on XP. Most browsers work ok vista and above. You only get domain level blocking (not URL) but you can do MITM and get URL/contnet blocking. Smoothwall Guardian3 supports this.

[AnnDroyd]

James, thanks for your help with this one. We're now running TMG server with ISA script as a transparent proxy. Everything seems fine, including access to HTTPS sites.