<< Back to man.ChinaUnix.net

HTTP Proxy

Feature List

User authentication

  • Local user authentication, including group based user management

  • LDAP authentication, including MS Active Directory, Novell eDirectory and OpenLDAP

  • Windows authentication, including Windows NT4.0 or 2000/2003 domains and Samba

  • RADIUS authentication

Advanced access control

  • Network based access control over IP and MAC addresses

  • Time based access restrictions

  • Download throttling

  • MIME type filter

  • Blocking of unauthorized browsers or client software

  • Group based access with groups coming from Windows active directory

Web proxy configuration

Common settings

The common settings are essential parameters related to the proxy services

Figure 7.2. Displays HTTP advanced proxy settings

Displays HTTP advanced proxy settings
Enabled on zone

This enables the Proxy Server to listen for requests on the selected zone (GREEN or BLUE or ORANGE).

Note

If the proxy service is disabled, all client requests will be forwarded directly to the destination address without passing the proxy service and therefore the requests will bypass all configured ACLs.

Transparent on zone

If the transparent mode is enabled, all requests for the destination port 80 will be forwarded to the Proxy Server without the need of any special configuration changes to your clients.

Warning

Transparent mode works only for destination port 80. All other requests (e.g. port 443 for SSL) will bypass the Proxy Server.

Note

When using any type of authentication, the Proxy may not run in transparent mode.

Note

To enforce the usage of the Proxy Server in non-transparent mode, you will have to block all outgoing ports usually used for http traffic (80, 443, 8000, 8080, etc.).

Proxy Port

This is the port the Proxy Server will listen for client requests. The default is 8080.

Note

In transparent mode, all client requests for port 80 will automatically redirected to this port.

Warning

In non-transparent mode, make sure that your clients are configured to use this port. Otherwise they will bypass the Proxy Server and all ACLs will be ignored.

Visible hostname

If you want to present a special hostname in error messages or for upstream proxy servers , then define this. Otherwise, the real hostname of your Endian Firewall will be used. This is optional.

Cache administrator e-mail

This mail address will be shown on the Proxy Server error messages. This is optional.

Error messages language

Select the language in which the Proxy Server error messages will be shown to the clients.

Contentfilter enabled

Antivirus enabled

Allowed ports

Allowed SSL ports

Upstream proxy

These settings may be required for chained proxy environments.

Figure 7.3. Displays HTTP advanced proxy upstream proxy configuration

Displays HTTP advanced proxy upstream proxy configuration
Username forwarding

If any type of authentication is activated for HTTP Proxy, this enables the forwarding of the login name. This can be useful for user based ACLs or logging on remote proxy servers.

Note

This is for ACL or logging purposes only and doesn’t work, if the upstream proxy requires a real login.

Note

This forwarding is limited to the username, the password will not be forwarded.

Client IP address forwarding

This enables the HTTP x-forwarded-for header field. If enabled, the internal client IP address will be added to the HTTP header.

x-forwarded-for: 192.168.1.37

This can be useful for source based ACLs or logging on remote proxy servers. Instead of forwarding unknown, this field will be completely suppressed by default.

Note

If the last proxy in chain doesn’t strip this field, it will be forwarded to the destination host!

Upstream proxy (host:port)

If you are using a parent cache, so enter the IP address and port of this upstream Proxy. If no value for port is given, the default port 80 will be used.

Upstream username

Enter the username for the upstream Proxy Server (only if required).

Note

If you enter a password, the username forwarding, described above, will be disabled.

Upstream password

Enter the password for the upstream Proxy Server (only if required).

Note

If you enter a password, the username forwarding, described above, will be disabled.

Log settings

These options are for enabling the HTTP Proxy log files.

Figure 7.4. Displays HTTP advanced proxy log settings

Displays HTTP advanced proxy log settings
Log enabled

This enables the Web Proxy logging feature. All client requests will be written to a log file and can be viewed within the GUI under Logs > Proxy Logs (See the section called “Proxy Logs Page”).

Warning

Enabling this option may break the privacy of your clients or other legal rules.

Before you are using this option make sure that this will be in accordance with the national law or other legal regulations.

In most countries, the user must agree that personal data will be logged. Do not enable this in a business environment without the written agreement of the workers council.

Firewall logs outgoing connections

Tick this on if you want the firewall to log all outgoing connection.

Warning

In most countries this may be illegal!

Log query terms

The part of the URL containing dynamic queries will be stripped by default before logging. Enabling the option Log query terms will turn this off and the complete URL will be logged.

Warning

Enabling tis option may break the privacy of your clients!

Log useragents

Enabling this option writes the useragent string to the log file /var/log/squid/useragent.log. This log file option should only be activated for debugging purposes and the result is not shown within the GUI based log viewer.

Cache management

The cache management settings control the caching parameters for Advanced Proxy.

Figure 7.5. Displays HTTP advanced proxy cache management configuration

Displays HTTP advanced proxy cache management configuration
Memory cache size

This is the amount of physical RAM to be used for negative-cached and in-transit objects. This value should not exceed more than 50% of installed RAM. The minimum for this value is 1MB, the default is 20 MB.

Note

This parameter does not specify the maximum process size. It only places a limit on how much additional RAM the Web Proxy will use as a cache of objects.

Harddisk cache size

This is the amount of disk space (MB) to use for cached objects. The default is 500 MB. Change this to suit your configuration. Do not put the size of your disk drive here. Instead, if you want Squid to use the entire disk drive, subtract 20% and use that value.

Min object size

Objects smaller than this size will not be saved on disk. The value is specified in kilobytes, and the default is 0 KB, which means there is no minimum.

Max object size

Objects larger than this size will not be saved on disk. The value is specified in kilobytes, and the default is 4MB (4096KB). If you wish to increase speed at the expense of saving bandwidth you should leave this low.

Do not cache these domains

A list of sites which cause the request to not be satisfied from the cache and the reply to not be cached. In other words, use this to force objects to never be cached. All domains must be entered with a leading dot:

.advproxy.net
.google.com
Enable offline mode

Enabling this option will turn off the validation of cached objects. This gives access to more cached information. (stale cached versions, where the origin server should have been contacted).

Network based access control

This defines the access control for accessing the Proxy Server based on the client network address.

Figure 7.6. Displays HTTP advanced proxy network based access control

Displays HTTP advanced proxy network based access control
Allowed subnets

All listed subnets are allowed to access the Proxy Server. By default, the subnets for GREEN, BLUE and ORANGE (if available) are listed here.

Warning

If you ever change the network configuration of any zone by the network wizard described in the section called “Network Configuration”, you need to change the values also in this list, especially if a subnet will be changed.

You can add other subnets like subnets behind GREEN in larger environments to this list.

Note

All subnets not listed here will be blocked for web access.

Unrestricted IP addresses

All client IP addresses in this list will override the following restrictions:

  • Time restrictions

  • Size limits for download requests

  • Download throttling

  • Browser check

  • MIME type filter

  • Authentication (will be required by default for these addresses, but can be turned off)

  • Concurrent logins per user (only available if authentication is enabled)

Unrestricted MAC addresses

All client MAC addresses in this list will override the following restrictions:

  • Time restrictions

  • Size limits for download requests

  • Download throttling

  • Browser check

  • MIME type filter

  • Authentication (will be required by default for these addresses, but can be turned off)

  • Concurrent logins per user (only available if authentication is enabled)

Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without having fixed leases defined.

MAC addresses can be entered in one of these forms:

00-00-00-00-00-00 or 00:00:00:00:00:00

Note

The Proxy Server can only determine MAC addresses from clients configured for the subnets of the GREEN, BLUE or ORANGE interfaces.

Banned IP addresses or subnets

All requests from these clients (IP addresses or subnets) in this list will be blocked.

Banned MAC addresses

All requests from these clients in this list will be blocked. Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without having fixed leases defined.

MAC addresses can be entered in one of these forms:

00-00-00-00-00-00 or 00:00:00:00:00:00

Note

The Proxy Server can only determine MAC addresses from clients configured for the subnets of the GREEN, BLUE or ORANGE interfaces.

Time restrictions

This defines the operational time of the Web Proxy.

Figure 7.7. Displays HTTP advanced proxy time restrictions configuration

Displays HTTP advanced proxy time restrictions configuration

The option allow allows web access and the option deny blocks web access within the selected time. The choice of allow or deny will depend on the time rules you want to apply. The default is set to allow access every day around the clock.

Note

Time restrictions will not be effective for these clients.

  • Unrestricted source IP addresses

  • Unrestricted source MAC addresses

  • Members of the group Extended if the Proxy uses Local authentication

Transfer limits

This allows you to enter limitations of the size for each download and/or upload request.

Figure 7.8. Displays HTTP advanced proxy transfer limit configuration

Displays HTTP advanced proxy transfer limit configuration

The values are given in KB. A reason for transfer limits could be that you want to prevent downloading large files, such as CD images. The default is set to 0 KB for upload and download. This value turns off any limitation.

Note

This limits refer to each single request. It’s not the total amount for all requests.

Note

Download limits will not be effective for these clients:

  • Unrestricted source IP addresses

  • Unrestricted source MAC addresses

  • Members of the group Extended if the Proxy uses Local authentication

Note

Upload limits will be effective for all clients.

MIME type filter

The MIME type filter can be configured to block content depending on its MIME type.

Figure 7.9. Displays HTTP advanced proxy MIME type filter

Displays HTTP advanced proxy MIME type filter

If enabled, the filter checks all incoming headers for their MIME type. If the requested MIME type is listed to be blocked, the access to this content will be denied. This way you can block content, no matter of the given file name extension.

Example 7.1. Add this MIME type if you want to block the download of PDF files:

application/pdf

Example 7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files:

application/pdf
video/quicktime

Note

The MIME type are processed as regular expressions. This means, the MIME type javascript will block content with the MIME types

application/x-javascript and text/javascript

Note

MIME type blocking will not be effective for these clients:

  • Unrestricted source IP addresses

  • Unrestricted source MAC addresses

  • Members of the group Extended if the Proxy uses Local authentication

Web browser

This allows you to control which client software may have access to web sites.

Figure 7.10. Displays HTTP advanced proxy user agent filter

Displays HTTP advanced proxy user agent filter
Enable Browser check

If this option is enabled, only the selected clients will be able to pass the Proxy Server. All other requests will be blocked.

Note

Browser based access control will not be effective for these clients:

  • Unrestricted source IP addresses

  • Unrestricted source MAC addresses

  • Members of the group Extended if the Proxy uses Local authentication

Client definitions

The most important web clients are already listed. You can create your own definitions by editing the file /var/efw/proxy/advanced/useragents and adding the browser specific information there.

Adding custom clients could be necessary if you want to allow your AntiVirus software to download updated definitions. If you don’t know the useragent of this software, you can enable the useragent logging in the section Log settings and watch the file /var/log/squid/useragent.log.

The syntax for client definitions is:

name,display,(regexp)

name

is required for internal processing of the Advanced Proxy and should be a short name in alphanumeric capital letters without spaces.

display

is the string which appears in the GUI list and should contain the common name for this client.

(regexp)

is a regular expression which matches the browser useragent string and must always be enclosed with brackets.

The values are separated by commas.

Authentication configuration

Warning

When using authentication and enabling the web proxy log files, the requesting user name will be logged in addition to the requested URL. Before enabling log files while using authentication, make sure not to violate existing laws.

Authentication methods overview

The Advanced Proxy offers a variety of methods for user authentication.

Figure 7.11. Displays HTTP advanced proxy authentication methods

Displays HTTP advanced proxy authentication methods
None

Authentication is disabled. Users don’t need to authenticate when accessing web sites.

Local Authentication

This authentication method is the preferred solution for SOHO environments. Users need to authenticate when accessing web sites by entering a valid username and password. The user management resides on the Endian Firewall Proxy Server. Users are categorized into three groups: Extended, Standard and Disabled.

Authentication using LDAP

This authentication method is the preferred solution for medium and large network environments. Users will have to authenticate when accessing web sites by entering a valid username and password. The credentials are verified against an external Server using the Lightweight Directory Access Protocol (LDAP).

LDAP authentication will be useful if you have already a directory service in your network and don’t want to maintain additional user accounts and passwords for web access.

The HTTP Proxy works with these types of LDAP Servers:

  • Active Directory (Windows 2000 and 2003 Server)

  • Novell eDirectory (NetWare 5.x und NetWare 6)

  • LDAP Version 2 and 3 (OpenLDAP)

As an option, membership for a certain group can be required.

Note

The protocol LDAPS (Secure LDAP) is not supported.

Windows authentication

This authentication method is the preferred solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external Server acting as a Domain Controller. This can be a:

  • Windows NT 4.0 Server or Windows 2000/2003 Server (even with Active Directory enabled)

  • Samba 2.x / 3.x Server (running as Domain Controller)

Advanced Proxy works with Windows integrated authentication (transparent) or with standard authentication (explicit with username and password). You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist).

Note

Workgroup based authentication may probably work, but is neither recommended nor supported.

RADIUS authentication

This authentication method is the preferred solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external RADIUS server. You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist).

Global authentication settings

The global authentication settings are available for all authentication methods except for the identd method.

Figure 7.12. Displays HTTP advanced proxy global authentication settings

Displays HTTP advanced proxy global authentication settings
Number of authentication processes

The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication.

Authentication cache TTL

Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session.

Note

If the user opens a new session, the credentials must always be entered, even if the TTL has not expired for another session.

Limit of IP addresses per user

Number of source IP addresses a user can be logged in at a time. The IP address will be released after the time defined at User/IP cache TTL.

Note

This takes no effect if running Local authentication and the user is a member of the Extended group.

User/IP cache TTL

Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0 (disabled). A value greater than 0 is only reasonable while using a limit for concurrent IP addresses per user.

Require authentication for unrestricted source addresses

By default authentication is required even for unrestricted IP addresses. If you don’t want to require authentication for these addresses, untick this box.

Authentication realm prompt

This text will be shown in the authentication dialog.

Domains without authentication

This allows you to define a list of domains that can be accessed without authentication.

Note

These domains are destination DNS domains and not source Windows NT domains.

Note

This works only for DNS domain names and not for IP addresses.

Example 7.3. Windows Update To allow access to Windows Update without authentication add these domains to the list:

.download.microsoft.com
.windowsupdate.com
.windowsupdate.microsoft.com

Note

All listed domains require a leading dot.

Local user authentication

The Local user authentication lets you manage user accounts locally without the need for external authentication servers.

Figure 7.13. Displays HTTP advanced proxy local user authentication

Displays HTTP advanced proxy local user authentication
User management

The integrated user manager can be executed from the main settings page.

Figure 7.14. Displays HTTP advanced proxy local user authentication

Displays HTTP advanced proxy local user authentication
Min password length

Enter the minimum required length of passwords. The default is set 6 alphanumeric characters.

User management

This button opens the local user manager.

Local user manager

The user manager is the interface for creating, editing and deleting user accounts.

Figure 7.15. Displays local user manager for the HTTP advanced proxy

Displays local user manager for the HTTP advanced proxy

Within the user manager page, all available accounts are listed in alphabetically order.

Group definitions

You can select between three different groups:

Standard

The default for all users. All given restrictions apply to this group.

Extended

Use this group for unrestricted users. Members of this group will bypass any time and filter restrictions.

Disabled

Members of this group are blocked. This can be useful if you want to disable an account temporarily without loosing the password.

Proxy service restart requirements

The following changes to user accounts will require a restart of the proxy service:

  • a new user account was added and the user is not a member of the Standard group

  • the group membership for a certain user has been changed

The following changes to user accounts will not require a restart of the proxy service:

  • a new user account was added and the user is a member of the Standard group

  • the password for a certain user has been changed

  • an existing user account has been deleted

Create user accounts
Username

Enter the username for the user. If possible, the name should contain only alphanumeric characters.

Group

Select the group membership for this user.

Password

Enter the password for the new account.

Password (confirm)

Confirm the previously entered password.

Create user

This button creates a new user account. If this username already exists, the account for this username will be updated with the new group membership and password.

Back to main page

This button closes the user manager and returns to the Advanced Proxy main page.

Edit user accounts

A user account can be edited by clicking on the pencil icon. When editing an user account, only the group membership or password can be changed.

While editing an account, the referring entry will be marked with a yellow bar.

Figure 7.16. Displays editing a user with local user manager of HTTP advanced proxy

Displays editing a user with local user manager of HTTP advanced proxy

To save the changed settings, use the button Update user.

Note

The username cannot be modified. This field is read-only. If you need to rename a user, delete this user and create a new account.

Delete user accounts

A user account can be deleted by clicking the trash can icon. The account will be deleted immediately.

Client side password management

Users may change their passwords if needed. The interface can be invoked by entering this URL:

https://efw:10443/cgi-bin/chpasswd.cgi

Note

Replace efw with the GREEN IP address of your Endian Firewall.

The web page dialog requires the username, the current password and the new password (twice for confirmation):

Figure 7.17. Change it yourself page, allowing user to change their local HTTP proxy password

Change it yourself page, allowing user to change their local HTTP proxy password
LDAP authentication

This authentication method uses an existing directory infrastructure for user authentication.

Figure 7.18. Displays LDAP authentication page of HTTP advanced proxy

Displays LDAP authentication page of HTTP advanced proxy

If you are unsure about your internal directory structure, you can examine your LDAP server using the command line based ldapsearch tool.

Windows clients can use the free and easy to use Softerra LDAP browser for this: http://www.ldapbrowser.com.

Common LDAP settings

Figure 7.19. Common LDAP settings of HTTP advanced proxy

Common LDAP settings of HTTP advanced proxy
Base DN

This is base where to start the LDAP search. All subsequent Organizational Units (OUs) will be included. Refer to your LDAP documentation for the required format of the base DN.

Example 7.4. Base DN for Active Directory

cn=users,dc=ads,dc=local

This will search for users in the group users in the domain ads.local.

Example 7.5. Base DN for eDirectory

ou=users,o=acme

This will search for users in the Organizational Unit users (and below) in the Organization acme.

Note

If the Base DN contains spaces, you must escape these spaces using a backslash.

Example 7.6. Base DN containing spaces

cn=internet\ users,dc=ads,dc=local
LDAP type

You can select between different types of LDAP implementations:

  • Active Directory (ADS)

  • Novell eDirectory (NDS)

  • LDAP v2 andv 3

LDAP Server

Enter the IP address of your LDAP Server.

Port

Enter the port your LDAP Server is listening to LDAP requests. The default is 389.

Note

The protocol LDAPS (Secure LDAP, port 636) is not supported.

Bind DN settings

Figure 7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy

Bind DN settings of LDAP authentication within HTTP advanced proxy
Bind DN username

Enter the full distinguished name for a Bind DN user.

Note

A Bind DN user is required for Active Directory and eDirectory.

Note

The Bind DN user must be allowed to browse the directory and read all user attributes.

Note

If the Bind DN username contains spaces, you must escape these spaces using a backslash.

Bind DN password

Enter the password for the Bind DN user.

Group based access control

Figure 7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy

Groupbased access control of LDAP authentication within HTTP advanced proxy
Required group (optional)

Enter the full distinguished name of a group for authorized Internet users. In addition to a correct authentication, a membership within this group will be required for web access.

Note

If the group name contains spaces, you must escape these spaces using a backslash.

Advanced Group Selections

Windows authentication

This authentication method uses an existing domain environment for user authentication.

Figure 7.22. HTTP advanced proxy authentication against Windows

HTTP advanced proxy authentication against Windows

In addition to the authentication you can define positive or negative user based access control lists.

Common domain settings

Figure 7.23. Common domain settings of Windows authentication on HTTP advanced proxy

Common domain settings of Windows authentication on HTTP advanced proxy
Domain

Enter the name of the domain you want to use for authentication. If you are running a Windows 2000 or Windows 2003 Active Directory, you’ll have to enter the NetBIOS domain name.

PDC hostname

Enter the NetBIOS hostname of the Primary Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller.

Note

For Windows 2000 and above the Primary Domain Controller is not assigned to a specific server. The Active Directory PDC emulator is a logical role and can be assigned to any server.

Warning

The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the hostname at Network > Edit Hosts (See the section called “Host configuration (Edit Hosts)”).

BDC hostname (optional)

Enter the NetBIOS hostname of the Backup Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller. If the PDC doesn’t respond to authentication requests, the authentication process will ask the BDC instead.

Warning

The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the hostname at Network > Edit Hosts (See the section called “Host configuration (Edit Hosts)”).

Authentication mode

Figure 7.24. Authentication mode of windows authentication on HTTP advanced proxy

Authentication mode of windows authentication on HTTP advanced proxy
Enable Windows integrated authentication

If enabled, the user will not be asked for username and password. The credentials of the currently logged in user will automatically be used for authentication. This option is enabled by default. If integrated authentication is disabled, the user will be requested explicitly for username and password.

User based access restrictions

Figure 7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy

Userbased access restrictions on windows authentication of HTTP advanced proxy
Enabled

Enables access control lists for authorized or unauthorized users.

Use positive access control / Authorized domain users

These listed users will be allowed for web access. For all other users, access will be denied.

Use negative access control / Unauthorized domain users

These listed users will be blocked for web access. For all other users, access will be allowed.

Note

If Windows integrated authentication is enabled, the username must be entered with the domain name as a prefix for the username, separated by a backslash.

Example 7.7. User based access control lists using integrated authentication

Figure 7.26. Integrated windows authentication with HTTP advanced proxy

Integrated windows authentication with HTTP advanced proxy

Note

When using integrated authentication, the user must be logged in to the domain, otherwise the name of the local workstation instead of the domain name will be added to the username.

Example 7.8. User based access control lists using explicit authentication

Figure 7.27. Explicit authentication with HTTP advanced proxy

Explicit authentication with HTTP advanced proxy

Note

Explicit authentication grants access to the user, even though the user is not logged in to the domain, as long as the username will be the same and the local workstation password and the domain password does match.

RADIUS authentication

This authentication method uses an existing RADIUS server for user authentication.

Figure 7.28. Displays RADIUS authentication configuration of HTTP advanced proxy

Displays RADIUS authentication configuration of HTTP advanced proxy

In addition to the authentication you can define positive or negative user based access control lists.

Note

This authentication method cannot handle encrypted connections. If you are running a Microsoft IAS for RADIUS you’ll have to turn off any type of encryption at your IAS.

Common RADIUS settings

Figure 7.29. Displays common RADIUS settings of HTTP advanced proxy authentication

Displays common RADIUS settings of HTTP advanced proxy authentication
RADIUS Server

Enter the IP address of the RADIUS Server you want to use for authentication.

Port

Enter the port that will be used to communicate with the RADIUS Server. The default is port 1645, some RADIUS servers may use port 1812 instead.

Identifier

This is an optional field and can be used to identify your IPCop for the RADIUS Server. If this is left empty, the IP address of your Endian Firewall will be used for identification.

Shared secret

This is the shared secret for the authentication of your Endian Firewall against the RADIUS Server. This must be the same password that you have entered at your RADIUS Server.

User based access restrictions

Figure 7.30. Displays user baed access restrictions of HTTP advanced proxy

Displays user baed access restrictions of HTTP advanced proxy
Enabled

Enables access control lists for authorized or unauthorized users.

Use positive access control / Authorized users

These listed users will be allowed for web access. For all other users, access will be denied.

Use negative access control / Unauthorized users

These listed users will be blocked for web access. For all other users, access will be allowed.

Advanced Group Selections

Content filter

Figure 7.31. General contentfilter configuation

General contentfilter configuation

Figure 7.32. Selection of allowed phrases which pages may contain

Selection of allowed phrases which pages may contain

Figure 7.33. Selection of categories of url lists which shoulr be blocked by the HTTP contentfilter

Selection of categories of url lists which shoulr be blocked by the HTTP contentfilter

Figure 7.34. Custom Black and whitelists of HTTP contentfilter

Custom Black and whitelists of HTTP contentfilter

HTTP Antivirus

Figure 7.35. HTTP Antivirus configuration page

HTTP Antivirus configuration page

Enforcing proxy usage

For different reasons, it may be required that all clients should be enforced to use the proxy service. The reasons could be mandatory logging, filtering or authentication.

Web Proxy standard operation modes

Proxy service disabled

Endian Firewall proxy settings:

Figure 7.36. HTTP proxy disabled

HTTP proxy disabled

Client access: Disabling the proxy service gives direct access for all clients.

Figure 7.37. Figure which displays traffic with will not be directed through the HTTP proxy

Figure which displays traffic with will not be directed through the HTTP proxy

Result: The proxy service will never be used. Logging, filtering and authentication will not be available.

Proxy service enabled, running in non-transparent mode

Endian Firewall proxy settings:

Figure 7.38. HTTP proxy enabled

HTTP proxy enabled

Client access: All clients without explicit proxy configuration will bypass the proxy service.

Figure 7.39. Figure which displays traffic with will not be directed through the HTTP proxy

Figure which displays traffic with will not be directed through the HTTP proxy

Client access: All clients configured for proxy usage will use the proxy for all destination ports (80, 443, 8080, etc.) and even for browser based FTP access.

Figure 7.40. Figure which displays traffic which will be redirected through the HTTP proxy.

Figure which displays traffic which will be redirected through the HTTP proxy.

Result: It depends on the client configuration whether the proxy service will be used or not. Unconfigured clients will bypass logging, filtering and authentication.

Proxy service enabled, running in transparent mode

Endian Firewall proxy settings:

Figure 7.41. HTTP proxy enabled as transparent proxy

HTTP proxy enabled as transparent proxy

Client access: All requests with destination port 80 will be internally redirected to the proxy service. Requests with other destination ports (e.g. 443 for https) will bypass the proxy service.

Figure 7.42. Figure which display traffic which will be transparently redirected through the HTTP proxy.

Figure which display traffic which will be transparently redirected through the HTTP proxy.

Result: Not all but most requests will pass the proxy service. Therefore filtering, logging and authentication will not be reliable.

Client side Web Proxy configuration

There are different ways to configure the clients to use the Web Proxy service. SOme of them are described in this section

Manual client configuration

Configuring clients by applying all proxy settings manually:

  • Time-consuming and unreliable

  • Configuration required per user

Client pre-configuration

Distributing pre-configured browser clients:

  • Only reasonable for medium to large environments

  • Works only for the configured client software

IEAK for IE 6: http://www.microsoft.com/windows/ieak/

CCK for Mozilla: http://www.mozilla.org/projects/cck/

Client configuration via DNS / DHCP

Centralized client configuration using DNS and/or DHCP:

  • Complex implementation

  • Require custom proxy.pac or wpad.dat files (dynamically created by Endian Firewall)

  • Flexible configuration

  • Most browsers support this configuration method

More info: http://www.web-cache.com/Writings/Internet-Drafts/draft-ietf-wrec-wpad-01.txt

Client configuration using group policies

Centralized client configuration using group policies:

  • Complex implementation

  • Only reasonable for medium to large environments

  • Requires a centralized network management system (Active Directory, ZENworks, etc.)

  • Flexible and mandatory configuration

  • Works only for Win32 clients and certain browser types

Requirements for mandatory proxy usage

To enforce proxy usage, these requirements must be met:

Proper client configuration

The client must be configured to use the proxy service.

Correct proxy operation mode

The proxy must operate in non-transparent mode.

Blocking of direct web access

All direct web access needs to be blocked. See the section called “Outgoing Firewall Administrative Web Page”.

Step by step examples

Active Directory and LDAP authentication

The following guidance is a step-by-step instruction for configuring the authentication using Microsoft Active Directory Services via LDAP for Advanced Proxy running on Endian Firewall.

Configuring LDAP authentication using Microsoft Active Directory Services
  1. Create the Bind DN user account

    Open the MMC snap-in Active Directory Users and Computers.

    Right click on the domain and select New > User from the menu

    Figure 7.43. 

    Enter the name for the Bind DN user. Make sure that the username does not contain spaces or special characters.

    Figure 7.44. 

    Enter the password for the Bind DN user and select the options User cannot change password and Password never expires. Make sure that the option User must change password at next logon is unchecked.

    Figure 7.45. 

    Complete the Wizard to create the Bind DN user. The Active Directory username will be ldapbind@ads.local and the LDAP DN will be cn=ldapbind,dc=ads,dc=local.

    Figure 7.46. 

    This account will be used to bind the Advanced Proxy to the LDAP server. This is necessary because Active Directory doesn't allow anonymous browsing.

  2. Grant appropriate access rights to the Bind DN user.

    Right click the domain and select Delegate Control from the menu.

    Figure 7.47. 

    Start the Control Delegation Wizard and select the ldapbind user account.

    Figure 7.48. 

    Select Create a custom task to delegate.

    Figure 7.49. 

    Restrict delegation to User objects.

    Figure 7.50. 

    Set permissions to Read All Properties.

    Figure 7.51. 

    Now complete the Control Delegation Wizard.

  3. Configure Advanced Proxy for LDAP authentication

    Open the Advanced Proxy GUI page, select LDAP from the section Authentication method and hit Save.

    Note

    If you are configuring LDAP authentication for the first time, HTTP Proxy may complain about the missing LDAP Base DN.

    Now enter the following LDAP settings into the Advanced Proxy GUI:

    Base DN

    The start where the LDAP search begins

    LDAP type

    Active Directory

    LDAP Server

    The IP address of your Windows LDAP Server

    Port

    The port your Windows Server listens to LDAP requests

    Bind DN username

    The LDAP DN of the Bind DN user

    Bind DN password

    The password for the Bind DN user

    Figure 7.52. 

    Save the settings and restart the Advanced Proxy by clicking the Save and restart button. Congratulations, LDAP authentication is working now ...

Configuring LDAP group based access control
  1. Create a group for authorized users

    Open the MMC snap-in Active Directory Users and Computers

    Right click on the Users folder and select New > Group from the menu.

    Figure 7.53. 

    Enter the name for the new group.

    Figure 7.54. 

    Add all authorized users to this group. Note: It's possible to add users from different Organizational Units to this group.

    Figure 7.55. 

  2. Configure LDAP authentication with group based access control

    Open the HTTP Proxy GUI page, select LDAP from the section Authentication method and hit Save.

    Note

    If you are configuring LDAP authentication for the first time, Advanced Proxy may complain about the missing LDAP Base DN.

    Now enter the following LDAP settings into the Advanced Proxy GUI:

    Base DN

    The start where the LDAP search begins

    LDAP type

    Active Directory

    LDAP Server

    The IP address of your Windows LDAP Server

    Port

    The port your Windows Server listens to LDAP requests

    Bind DN username

    The LDAP DN of the Bind DN user

    Bind DN password

    The password for the Bind DN user

    Required group

    The DN for a group with authorized user accounts

    Figure 7.56. 

    Save the settings and restart the Advanced Proxy by clicking the Save and restart button. From now on, only members of the given group will be able to access the proxy ...