+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
Netbooks, PDA and Phones Thread, Proxy still stuffed on 3.1 in Technical; this only works for HTTPS traffic for clients which support SNI. ??? what would be the point then if it ...
  1. #16

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,808
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    this only works for HTTPS traffic for clients which support SNI.
    ???

    what would be the point then if it wouldn't work for normal web stuff????

    I'm just trying to get T'internet stuff to go via county filters and lan stuff (local webservers) not

    Si

  2. #17


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Quote Originally Posted by SimpleSi View Post
    But how is this miracle performed? How do the server gods know which clients are wireless???

    Si
    Tricky one. One option is to do it for all clients - those with a proxy set won't send ANY http(s) traffic, and as such won't see a difference. Other options are have your Access Points on a separate VLAN? Anyone think of any more cunning plans?

    There is another method, which requires a bridging device between your AP/the switch your APs are attached and the internet...

  3. #18


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Quote Originally Posted by SimpleSi View Post
    ???

    what would be the point then if it wouldn't work for normal web stuff????

    I'm just trying to get T'internet stuff to go via county filters and lan stuff (local webservers) not

    Si

    Sorry, I am being unclear - perhaps due to sometimes writing posts while on the phone

    It *always* works for "regular http", sometimes it just doesn't play ball with https, in the case of smoothwall, it means that clients that DONT support SNI get blocked from accessing HTTPS, but everyone gets HTTP regardless.

  4. #19


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by SimpleSi View Post
    But how is this miracle performed? How do the server gods know which clients are wireless???

    Si
    I'd also go with separate VLAN, and if you are thinking along the lines of user/home equipment needing a transparent proxy then this is probably the best method as you can firewall this vlan from your internal network - which is what we do.

    question I have now - suppose we set the default route (in the public WIFI VLAN DHCP) to one of our smoothwalls, then presumably traffic (such as DNS requests) from the internal LAN would not be sent back to the internal LAN if smoothwall is just sitting as a proxy in the DMZ (with core switch doing the routing, and Cisco doing the firewalling). So how would I get around this, using smoothwall?

  5. #20


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    DNS requests should go to your internal dns server in any case. For other stuf, the smoothie will send an ICMP reply that says "actually, the gateway's over there, but dont tell the web browser"

  6. Thanks to tom_newton from:

    CyberNerd (20th September 2011)

  7. #21


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    If anyone has cisco kit knocking about WCCP is a great way to do transparent stuff

  8. #22


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by tom_newton View Post
    DNS requests should go to your internal dns server in any case. For other stuf, the smoothie will send an ICMP reply that says "actually, the gateway's over there, but dont tell the web browser"
    Yes the DNS does go to the internal DNS server, but the Smoothwall is in a DMZ - 192.168.x.x and the internal address is on a different subnet, so how will the DNS requests get to the the internal DNS server if the default route is that of a smoothwall server, rather than the firewall - I'm guessing DNS caching on smoothie, or will the ICMP reply deal with that. I have a sneaky it's going to be a bit of a headache to setup and I'll be building another smoothwall to get it working ok.

    If anyone has cisco kit knocking about WCCP is a great way to do transparent stuff
    ok, I'll have a look at that.

  9. #23


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Default route is the smoothie only for the clients, and they can still happily have a route that lets them get to the DNS server (which has a route to the "real" gw). WCCP is the shiz tho, as you can let the cisco do the heavy lifting, you just need the wccp device to be on the path that the clients you need to proxy are taking to the internets, then redirect 80/433 based on src ip, and bob's your mother's brother.

    Unfortunately it carries the usual cisco learning curve (more of a learning cliff)

  10. Thanks to tom_newton from:

    CyberNerd (20th September 2011)

  11. #24

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,808
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    I'm sneeking out the door - too complicated for me

    Si

  12. #25

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,808
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    I'm sorted in my schools as I'd forgotton that the server that Espresso is loaded on is also a proxy server

    So setting its address as the proxy server in the wi-fi settings means the default browser can be used for Internet and Espresso
    Si

  13. #26

    Join Date
    Nov 2009
    Posts
    114
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    11

  14. Thanks to owen1978 from:

    SimpleSi (5th October 2011)

  15. #27

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,808
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    What tab have you got?
    Si

  16. #28

    Join Date
    Nov 2009
    Posts
    114
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    11
    Quote Originally Posted by SimpleSi View Post
    What tab have you got?
    Si
    Hannspree Hannspad (1653 Model)

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Proxy for skype on dmz of forefront
    By wickit in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 30th August 2011, 02:01 PM
  2. Deleted students still appearing on marksheets
    By newcareer in forum MIS Systems
    Replies: 3
    Last Post: 6th October 2010, 08:56 AM
  3. What are the oldest PCs you still use on your network?
    By 3s-gtech in forum General Chat
    Replies: 34
    Last Post: 15th November 2009, 08:05 PM
  4. Multiple proxy settings (im on CC3 network)
    By gh256 in forum How do you do....it?
    Replies: 1
    Last Post: 7th December 2007, 09:15 AM
  5. Proxy settings not there on second logon.
    By robinhood in forum Learning Network Manager
    Replies: 7
    Last Post: 6th October 2007, 11:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •