Ok, so at our organisation we have an external web proxy run by our local county, with proxy settings distributed via GPO, the problem is with BYOD on the rise we're having trouble with certain devices that either can't take proxy settings or don't handle exceptions well and redirect all traffic, including that meant for internal servers, out to the proxy.
Now, I have a tower with 2 network cards that was donated to us running Ubuntu, I've not played with linux as a routing tool before, but all i want it to do is direct all traffic to the external proxy, and add a list of exceptions that remain internal to the network, so i can point some of our devices at it as the default gateway and it can do the proxy decisions for them.
As principal BYOD devices, or any device you don't administrate shouldn't even be allowed to touch your internal network. That being said, I just went through this while back setting up a guest wireless network for our district. Redirecting HTTP isn't a big deal, but you'll break HTTPS in the process. In a nutshell I setup a box with two NICs, Squid in transparent mode, and IPTABLES to redirect all HTTP traffic on the local interface to Squid; really just a standard transparent proxy setup. HTTPS is still broke at this point though since you can't redirect it without performing what basically constitutes a MITM attack. So I had to somehow get the user to set proxy settings on their end.
To get them to do this I setup Squid as a captive portal. When the user would connect to the guest network they would immediately get redirected to a terms of service page hosted on the proxy. At the bottom of the page is an acceptance button that serves two purposes: first, Squid will continue to redirect to the TOS page until it is clicked, second, once clicked it'll take you to a page with directions for setting up most popular browsers and devices for auto proxy configuration. If the user follows the directions, HTTPS works no problem.
To finish off the auto proxy setup, I had to write a wpad.dat file and setup both DHCP and DNS to point to it (Internet Explorer can usd DHCP to find it, and Firefox/Safari/Chrome will use DNS). The exceptions to forwarding are defined in the wpad.dat file.
It was a huge PITA to get working, but once I got it tweaked it works remarkably well for all major browsers, and iOS devices. I'm still playing around with Android though....
There are currently 1 users browsing this thread. (0 members and 1 guests)