Just thinking about this if I go into transparent mode I will then loose all the groups that have been setup through AD authentication and then loose the filter groups that have been setup as these are based on AD group membership.
Effectively this will drop the whole back to just a single level, single filter policy proxy, am I thinking correctly on this?
Now I remember why I hadn't set this up now :rolleyes:
If you think it through, if the client thinks there is no proxy there (transparent) it isn't going to pass the auth to it. Hence, Smoothie thinks it's a stoopid setup and won't let you do it.
What the clever people at Smoothwall should do, is allow you to turn transparent proxy on for a particular port and assign a filetering policy to transparent traffic. Nudge nudge wink wink guys!
EDIT - Of course, you could just turn on the transparent proxy feature that the BlueSecure unit has... you'll find that in the role settings Oz
I second that !
Hmm will have to stay with the way it is at the moment then and not allow web access via wireless.
Hmm me thinks I could possible allow a loopback via the bluesocket to our SSL VPN and get the students to logon to one of our Terminal Services boxes and get access that way, long winded yes but if they really need access I geuess they will use it.
^^ You snook that post in during my edit
looking at the bluesocket now, i think i did already try it on there and it would not work but let me give it a go.
The problem with multiple authentication methods is that it's passed (AIUI anyway) from the guardian process to Squid, using whatever methods are available on squid.
Originally Posted by Ric_
Using multiple methods would need another instance of squid which may put too high a load on the system and would be quite complex to set up.
Nope did not work.
Put BlueSocket into transparent mode on the guests role (the user I am using does go into theis role) and left the smoothie as it is, no go on the web.
@ICTNUT: Did you tick the 'Perform transparent proxy request translation on the BSC.' box?
Yes I did
Originally Posted by Ric_
@ICTNUT: So is it simply not working or are you getting a denied page off of Smoothie? (If so, what does it say?)
I have setup one of the laptops to use the proxy.pac that smoothie has and I now have a valid block page coming from the smoothie when trying to access msn.
I would expect this to happen as the smoothie does not know what the unit it so it places it into the unauthenticated IPs group.
This group by default has a global block on it as we have found that if you install chrome or firefox you could surf the web unfiltered :eek:
So my next challenge is to try and get filtering to work, but it looks like we maybe moving forward.
Few quick updates:
Ric: you're correct - doing auth in transparent mode is impossible - for mere mortal beings. Of course we can do it (yes it is a nasty trick, and only works with ntlm so far)
Dave: you're right about the evils of squid and auth - thats why in FP5 (Summer '10) the all-new version of guardian will take over auth duty from squid, allowing all sorts of multi auth fun.
Of course you guys will all get these upgrades as standard.
you heard it here first :)
ok so the proxy.pac file did not work after all, was just me being a little too eager :(
I guess there is no way to get this to work will have to reside to the fact that kids just can't surf the web :evil_twisted: via wireless.