Internet Related/Filtering/Firewall Thread, wpad/pac or transparent proxy in Technical; what do you use with guest wireless?
We had transparent proxy but it didn't work with SSL. So i've spent ...
27th February 2012, 05:44 PM #1
wpad/pac or transparent proxy
what do you use with guest wireless?
We had transparent proxy but it didn't work with SSL. So i've spent ALL day making wpad/proxy.pac work only to discover whilst it works great with windows laptops if you tick autodiscover box, it's not as useful with mobiles. Iphones need to put in the pac url, not sure about android or blackberry.
Transparent proxy worked better but no SSL was a problem..... /sigh
27th February 2012, 05:54 PM #2
Aye I'm stuck with the same issue for our public network. You can't transparently proxy SSL URL's as it would defeat the point if anyone could sit in the middle of an SSL connection.
They suggest that you allow SSL urls to go straight out to the web, but that kinda defeats the point in setting up a captive portal & is impossible anyway for us as you have to go out via the main proxy anyway, so your back to the problems of having a .pac file
>.< It's annoying!
27th February 2012, 06:01 PM #3
I've read you can get SSL through transparency to work by using a man-in-the-middle procedure but I'm wary of that idea.
Originally Posted by DrCheese
How do public wi-fi hotspots work...do they give you an actual internet ip address?
27th February 2012, 08:04 PM #4
We use Smoothwall for our Guest Wifi which does HTTPS filtering using transparent proxy. The only requirement is that the client is running Windows Vista and above , XP using Firefox/Chrome, newer iOS versions for iPhones/iPads etc. If the client isn't running that they can still access HTTP sites but not HTTPS sites.
Thanks to Ashm from:
tom_newton (28th February 2012)
27th February 2012, 08:09 PM #5
Aye, I was afraid of that :P, having read that on an older post on this forum. I wouldn't mind smoothwall to replace my own custom Dansguardian/Squid system but it's a question of £££. I'd be interested as to how it gets around the man in the middle restriction tho.
From what I remember, it's something to do with SNI? (server name indication) I wonder how hard it would be to recreate that on other systems (i.e I use pfsense for the captive portal at the moment)
Last edited by DrCheese; 27th February 2012 at 08:14 PM.
27th February 2012, 08:13 PM #6
28th February 2012, 09:59 AM #7
What are you trying to achieve? Filtering? Logging? Stopping usage without a password?
28th February 2012, 11:07 AM #8
I'm gonna stick with pac. You can get around transparency with ssl_bump, ie SQUID transparent SSL interception « Dvas0004's Blog
but recompiling squid is getting too crazy for my liking. pac is fairly flexible~
Works with XP/win7 if "Automatically detect settings" tickbox in IE is ticked
Works with i-devices setting autodiscover WITH the url http://servername/proxy.pac
Most likely to work with android + Opera mobile app + proxy settings
Only Blackberry won't work. only works with transparent proxy. Doesn't support any other kind
28th February 2012, 05:06 PM #9
Yes - we DO use SNI for non-MITM transparent filtering.
28th February 2012, 06:31 PM #10
Aye :P I've arranged a trial of Smoothwall today to test this.
I've been wanting to replace our proxy solution with smoothwall for a while, we've just not had the money to do so until recently. Being able to scrap our custom solution that has it's own issues and gaining the ability to do this will be a big bonus for us.
23rd March 2012, 10:23 AM #11
Seems to work better to use wpad.dat with ios. It's the same file as proxy.pac.
23rd March 2012, 10:28 AM #12
we use wpad and pac files.
It works best in 99% of cases.
Older androids need transparent proxies though
By Optimus in forum Internet Related/Filtering/Firewall
Last Post: 2nd January 2012, 05:19 PM
By dave.81 in forum Internet Related/Filtering/Firewall
Last Post: 18th October 2010, 12:45 PM
By FN-GM in forum Wireless Networks
Last Post: 25th February 2008, 04:33 PM
By pete in forum Wireless Networks
Last Post: 7th February 2008, 08:43 PM
By Jackd in forum Network and Classroom Management
Last Post: 25th July 2007, 06:54 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)