Proxy Appliance

[IcemanND]

Does anyone have any suggestions for a proxy server/appliance?

What I have is a group of machines which we have restricted to being able to access local resources only. The problem is that there are three external webs sites that we need to be able to access. I am not able to whitelist just those sites with the method we currently have deployed but I could use a proxy server. Hence my question. The only thing I need the proxy to do is allow access to the three desired sites, caching and authentication is not required.

I have tested it with our primary proxy server so I know it will work, but I don't have access to or control over the existing proxy so I would have to configure my own.

Any help or suggestions greatly appreciated.

[tain]

You would really buy an appliance just for this?

Much cheaper to run a proxy on an existing server. Depending on your architecture, you can could run ISA, Squid, etc...

[IcemanND]

for this location we there isn't an existing server to use. I would have to buy a piece of hardware to install the proxy app on as it is. Just seemed to be easier if I could just slap it in the rack above the switches and then forget about it once configured.

[tain]

Well I don't think you'll find many appliances that are simply proxies. Most will bundle in other functionality like a firewall. Perhaps Blue Coat?

Some vendors you might like are SonicWall, Cisco (PIX), SnapGear and WatchGuard.

[cluberti]

Are you able to force the use of a proxy autoconfig script? If so, you could bypass the proxy and only allow access to the whitelisted sites in the script. Otherwise, you'll be stuck with a firewall that can proxy with an appliance.

[IcemanND]

A PAC might work. I've never had the need to do such, but from what I have found so far It might work.

Have any sites I can look at for examples or good documentation?

[cluberti]

A PAC might work. I've never had the need to do such, but from what I have found so far It might work.

Have any sites I can look at for examples or good documentation?

Sure - here's one of my .js template files I keep that allows access to specific sites on any protocol, allows access to a specific site only via https, and blocks everything else on every protocol:

// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ //
//									   //
// Very basic proxy autoconfig script	//
//									   //
// Author:  cluberti@cluberti.com		//
//									   //
// Created:  4/21/2004				   //
//									   //
// Last Modified:  6/11/2006			 //
//									   //
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ //


function FindProxyForURL(url, host)
{
	// See if we match "google.com" on
	// any protocol:
	if (shExpMatch(host, "google.com"))
		// if so, pass the packets
		// directly to the internet:
		return "DIRECT";
	else

	// See if we match "*.google.com" on
	// any protocol:
	if (shExpMatch(host, "*.google.com"))
		// if so, pass the packets
		// directly to the internet:
		return "DIRECT";
	else

	// See if we match the URL string
	// [url="https://mail.server.com"]https://mail.server.com[/url] (with any
	// trailing page):
	if (shExpMatch(host, "https://mail.server.com", "*/*"))
		// if so, allow https traffic to
		// any subpages on this site (*/*):
		return "DIRECT";
	else


	// Rules to send all other traffic
	// to port 4321 on localhost, which
	// will have nothing listening and
	// thus will display a "Page could
	// not be displayed" error in the
	// user's browser:

	// http block rule:
	if (url.substring(0, 5) == "http:")
		return "PROXY 127.0.0.1.4321";
	else

	// ftp block rule:
	if (url.substring(0, 4) == "ftp:")
		return "PROXY 127.0.0.1:4321";
	else

	// gopher block rule:
	if (url.substring(0, 7) == "gopher:")
		return "PROXY 127.0.0.1:4321";
	else

	// https block rule
	if (url.substring(0, 6) == "https:")
		return "PROXY 127.0.0.1.4321";
	else


	// anything that doesn't match the
	// rules above, also block:
	return "PROXY 127.0.0.1:4321";
}

You can find more here, too:

http://wp.netscape.com/eng/mozilla/2.0/rel...proxy-live.html

http://www.microsoft.com/technet/prodtechn...k.mspx?mfr=true

http://www.microsoft.com/technet/prodtechn...s.mspx?mfr=true

http://java.sun.com/j2se/1.4.2/docs/guide/...xie_config.html

[IcemanND]

Thanks for the info. Looks like this ill work if I can work one thing out. The existing proxy server we have requires authentication. Is there a way to automatically pass the windows credentials to authenticate?

EDIT: Ok, the real question is how do I get IE to ask for authentication, or use the windows auth. It works as I would have expected in Firefox and asks for authentication. IE just gives an error.

Proxy Authentication Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

EDIT 2: Seems to be a setting being dumped to my machine via domain GPO. Now I get to try and track it down.

[IcemanND]

ok, so I have a working script, at least for FF. Anyone have any idea what setting I am missing to get IE to prompt for authentication, or use the windows authentication automatically? Once I can get that to work I can be done with this, until next year.

[cluberti]

What type of auth is the proxy server using? IE will try to auth with user creds first unless it gets a proxy response specifying auth method - what does a network trace from the client show after the proxy sends the 401?

[IcemanND]

Since that is not my department I'm not sure. but I'll see what I can find out. It works fine if I don't use the script. If I put the proxy address in it stops and asks for authentication, but then they have access to anything, which we don't want. If I use the same server info and use a script to only allow the two desired sites I get no authentication.

This only is happening with IE.

[cluberti]

I am specifically interested in the 401.2 response from your proxy server after the anon request from the client, and what WWW-Authenticate header is sent from the proxy.