+ Post New Thread
Results 1 to 15 of 15
Internet Related/Filtering/Firewall Thread, Recommendations for DIY based Proxy Solution in Technical; We have quite a small network max 200 workstations and our OLD Proxy box is in pensionable status. Has anyone ...
  1. #1

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    671
    Thank Post
    155
    Thanked 51 Times in 49 Posts
    Rep Power
    33

    Recommendations for DIY based Proxy Solution

    We have quite a small network max 200 workstations and our OLD Proxy box is in pensionable status.

    Has anyone gone down this DIY route and what combination did they use. I could go down the MS route (i.e. Microsoft ISA Server with some sort of proxy/filter plugin). Hardware Costs, Renewal Costs and Support costs are the biggest limiting factor while trying to achieve a reliable and easy to administer solution.

    I thinking of setting up a DIY Linux based Proxy solution as only the most simple proxy filtering is required. Have had experience of setting up/administering BLOXX and Sophos filter boxes in previous employments.

    The Requirements are:
    Basic Content filtering (i.e. DansGuardian)
    Simple to use/setup/administer/backup/GUI interface
    Authenticates to Active Directory - for security group based filtering
    Blacklists, Whitelists, banned words

    I've spent a few days playing with Ubuntu/Squid/DansGuardian on a Virtual Server and managed to get a working system at home (thanks to YouTube) without the AD authentication and will be testing the solution massively before implementation and run the two systems side by side till happy, and take a deep breath before full deployment :-?

    I am more than happy to research and read books if pointed in the right direction, my linux skills are rather limited at the moment but more than happy to learn, am picking a few commands up at the moment :-).

    Big Thanks in anticipation of any reply.

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    I use squid/dansguardian here and never have problems with it. I've never made filtering VIA ad group work but it is possible from what I have read.

    You can use webmin modules for a front end GUI ( in a web browser).

    You can also download blacklists from the net.

  3. Thanks to glennda from:

    Davit2005 (31st October 2011)

  4. #3


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    338
    sounds like your on the right lines. Here's a howto to get Squid working with Samba for basic AD authentication
    ConfigExamples/Authenticate/Ntlm - Squid Web Proxy Wiki

  5. Thanks to CyberNerd from:

    Davit2005 (31st October 2011)

  6. #4


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    338
    this method should also work Configure squid for LDAP authentication using squid_ldap_auth helper
    and this ConfigExamples/Authenticate/Kerberos - Squid Web Proxy Wiki
    I'm not sure whether ldap,kerberos or winbind is hte best method?

  7. #5


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,120
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    SmoothWall Express + add-on's (Advanced Proxy / URL Filter / Calamaris)?

    Advanced Proxy includes Active Directory support.

  8. Thanks to Arthur from:

    Davit2005 (31st October 2011)

  9. #6

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,853
    Thank Post
    1,160
    Thanked 1,028 Times in 729 Posts
    Rep Power
    323
    @Davit2005:

    If you have a spare computer with 2 nics and 2Gb ram then this could be another solution:

    IPCop - Home

    We used this for many years using transparent authentication and has many good features, reason we changed was our budget allowed us to purchase smoothwall.

    Hope you get sorted

  10. Thanks to bossman from:

    Davit2005 (31st October 2011)

  11. #7

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    671
    Thank Post
    155
    Thanked 51 Times in 49 Posts
    Rep Power
    33
    We should have a spare server coming up soon which we should be able to setup. It's not 64bit so can't really use esxi 4 but suppose could setup using 32bit windows 2003/2008 in a raid 1 with either virtual server or virtual box I suppose.

    The only thing that worries me with transparent proxies is everything has to go thru it including servers etc. Can be a pain for windows update,activations and software that uses it's own download manager (Adobe etc.)

  12. #8


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    338
    Quote Originally Posted by Davit2005 View Post
    We should have a spare server coming up soon which we should be able to setup. It's not 64bit so can't really use esxi 4 but suppose could setup using 32bit windows 2003/2008 in a raid 1 with either virtual server or virtual box I suppose.
    Take a look at KVM - it's part of the linux kernel and can do useful things like live migrations/high availability that you won't get with virtualbox. THeres lots of management tools as well
    Management Tools - KVM

    Quote Originally Posted by Davit2005 View Post
    The only thing that worries me with transparent proxies is everything has to go thru it including servers etc. Can be a pain for windows update,activations and software that uses it's own download manager (Adobe etc.)
    I would have thought that transparent proxying solves some of these issues, compared to authenticating proxies. You can always leave the squid port open (to specific ip addressess) and use that as an unfiltered proxy and the dansguardian port as the filter.

  13. #9

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    Quote Originally Posted by CyberNerd View Post
    Take a look at KVM - it's part of the linux kernel and can do useful things like live migrations/high availability that you won't get with virtualbox. THeres lots of management tools as well
    Management Tools - KVM



    I would have thought that transparent proxying solves some of these issues, compared to authenticating proxies. You can always leave the squid port open (to specific ip addressess) and use that as an unfiltered proxy and the dansguardian port as the filter.
    pretty sure you need virtulisation support in the cpu/bios to run KVM (I use it to host all my vms)

  14. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    338
    Quote Originally Posted by glennda View Post
    pretty sure you need virtulisation support in the cpu/bios to run KVM (I use it to host all my vms)
    yes - your quite correct and it probably won't be supported on an older 32bit processor.

    @glennda which management tools are you using, I was thinking about using kvm for desktop virtualisation - just some research at the moment but I'm liking the look of this: Spice - Home page

  15. #11

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    Quote Originally Posted by CyberNerd View Post
    yes - your quite correct and it probably won't be supported on an older 32bit processor.

    @glennda which management tools are you using, I was thinking about using kvm for desktop virtualisation - just some research at the moment but I'm liking the look of this: Spice - Home page
    I use Virsh (command line) and Virt-manager on the machines to configure/manage machines.

    I run it on 3 dl380 g5's and 2 Dl360 G7's using a OCSF2 Cluster meaning all the luns on the SAN can be attached to each host.

    I then use Xming and Xll forwarding through putty if i need to use Virt-manager on a windows box.

  16. Thanks to glennda from:

    CyberNerd (31st October 2011)

  17. #12

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    671
    Thank Post
    155
    Thanked 51 Times in 49 Posts
    Rep Power
    33

    Virtualisation support

    Quote Originally Posted by glennda View Post
    pretty sure you need virtulisation support in the cpu/bios to run KVM (I use it to host all my vms)
    Will look into KVM for sure, not one I've heard of. I've had to enable VM support in a few recent dell servers R410/R510 for 64bit support.

    Our current proxy allows for certain pass thrus from designated source IP's, and also allows full access to designated destination IP's. The main issue is the AD authentication to 2008 R2. Being able to get the proxy to filter on AD security groups (i.e. Students, Staff, limited internet access etc.) would be a distinct advantage.

  18. #13

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    Quote Originally Posted by Davit2005 View Post
    Will look into KVM for sure, not one I've heard of. I've had to enable VM support in a few recent dell servers R410/R510 for 64bit support.

    Our current proxy allows for certain pass thrus from designated source IP's, and also allows full access to designated destination IP's. The main issue is the AD authentication to 2008 R2. Being able to get the proxy to filter on AD security groups (i.e. Students, Staff, limited internet access etc.) would be a distinct advantage.
    In the end i setup 2 machines (identical config files copied from each other) one which does staff one does students with different block lists.

  19. #14

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    671
    Thank Post
    155
    Thanked 51 Times in 49 Posts
    Rep Power
    33
    Quote Originally Posted by glennda View Post
    In the end i setup 2 machines (identical config files copied from each other) one which does staff one does students with different block lists.
    I was thinking along these lines if can't get AD authentication to work. Easy to work as staff in different OU to Students and can very easily set up policy to point different OU's to different proxies.

    Maybe advantageous to have a dual solutions and staff will just have to put up with limited access if their proxy fails and students can either be monitored carefully on staff policy or Internet disabled altogether if theirs fail. Better than no one on Internet at all. Specially when you have to support the system in house.

  20. #15

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    yup especially as it is just a case of adding the ip to the other machine and then setting the config to accept data on that IP saves the need redo gpo's and get staff to logout/login again.

    I use Samba to do the auth and squid passes onto samba

SHARE:
+ Post New Thread

Similar Threads

  1. Broadband Supplier I Recommend for Home And Schools.
    By tickmike in forum Recommended Suppliers
    Replies: 6
    Last Post: 16th August 2007, 08:04 AM
  2. Blacklist for web-based IM
    By uk101man in forum Wireless Networks
    Replies: 2
    Last Post: 22nd February 2007, 05:40 PM
  3. Recommendations for importing users into Moodle
    By Ric_ in forum Virtual Learning Platforms
    Replies: 6
    Last Post: 9th October 2006, 10:49 AM
  4. Recommendations for a school web site system?
    By OverWorked in forum Web Development
    Replies: 10
    Last Post: 26th June 2006, 02:46 PM
  5. Any recommendations for music system for school hall? Help!
    By kfq61 in forum Recommended Suppliers
    Replies: 8
    Last Post: 13th June 2006, 08:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •