I'm still learning a lot about school networks so here goes :p
I'm looking at putting in a proxy server running Dansguardian on but where abouts in the network should it go? It's only a small school so we have ISA server running on the domain controller at the moment and it won't receive loads of traffic for hours on end.
Should it just sit on the network somewhere with two connections or sit inbetween ISA and the local network or even something else?
You have it at the very top of the network.
You will have an ethernet cable go into a switch some place. plug that into one nic of the server and plug another cable from the server into the network. This will force all traffic to go through.
Also installing ISA on a DC is a big no no. it will probably block allot of traffic needed for a DC
Unfortunatly this is how the county set it up before I was there and we have just stuck with it, they setup rules to allow all local traffic so I guess for now it should be ok.
Originally Posted by FN-GM
Thanks for that one :p
With the right firewall rules, you can put DG anywhere on the network, with 1 NIC, so long as all the clients can see dg, and dg can get at the web.
I agree and it works a treat. The only problem is if you are in a huge establishment and you need 2 nic cards one to handle internal and one to handle external traffic for bandwidth or you are putting a firewall on the server.
Originally Posted by tom_newton
Ok, thanks guys, I have it all setup so Ill see how it goes tomorrow when the kids are back, Dansguardian is a lot more powerful than I first thought actually.. :)
You'll only need 2 Nics if you have ~60Mbits/sec of web traffic. At that point, a gigabit Nic or - much more sensibly - a load balanced nest of DGs would be a better idea.
Originally Posted by ricki
We do the "commercial version" of DG - Network Guardian - as many of you know, this is DG "preinstalled" with reporting and much better lists. In nearly 7 years at SmoothWall I have never needed to use >1 NIC.
It all depends on how you do things. I would (personally for my situation) say that for flexibility I would go the 2 NIC route initially. I would put the DG box as follows:
external router -> DG -> (ISA WAN connection)
This will give you the advantage of having a filtered bridge forcing all traffic through your DG box. I assume that at the moment there is no filtering hence the clients can pass happily through your ISA server?
That way you need to configure the DG box only and leave the ISA box alone. It also means that you dont need to change gateways - only add proxy rules (GPO, WPAD, proxy.PAC etc etc) and any clients that are simply added to the network will still need to go through the DG box. If you dont care about giving different levels of access then you could transparent proxy the box needing nothing configuring on the clients!
Horses for courses though. I would say it is no harder to set up a 2NIC than a 1NIC box. My first 1NIC was soon ditched as it was too easy to bypass the DG box with pocket opera etc.
Dont forget to get an extra CAL for your linux box :getmecoat: