IcemanND Posted September 10, 2007 Share Posted September 10, 2007 Does anyone have any suggestions for a proxy server/appliance?What I have is a group of machines which we have restricted to being able to access local resources only. The problem is that there are three external webs sites that we need to be able to access. I am not able to whitelist just those sites with the method we currently have deployed but I could use a proxy server. Hence my question. The only thing I need the proxy to do is allow access to the three desired sites, caching and authentication is not required.I have tested it with our primary proxy server so I know it will work, but I don't have access to or control over the existing proxy so I would have to configure my own.Any help or suggestions greatly appreciated. Link to comment Share on other sites More sharing options...
tain Posted September 18, 2007 Share Posted September 18, 2007 You would really buy an appliance just for this?Much cheaper to run a proxy on an existing server. Depending on your architecture, you can could run ISA, Squid, etc... Link to comment Share on other sites More sharing options...
IcemanND Posted September 19, 2007 Author Share Posted September 19, 2007 for this location we there isn't an existing server to use. I would have to buy a piece of hardware to install the proxy app on as it is. Just seemed to be easier if I could just slap it in the rack above the switches and then forget about it once configured. Link to comment Share on other sites More sharing options...
tain Posted September 19, 2007 Share Posted September 19, 2007 Well I don't think you'll find many appliances that are simply proxies. Most will bundle in other functionality like a firewall. Perhaps Blue Coat?Some vendors you might like are SonicWall, Cisco (PIX), SnapGear and WatchGuard. Link to comment Share on other sites More sharing options...
cluberti Posted September 19, 2007 Share Posted September 19, 2007 Are you able to force the use of a proxy autoconfig script? If so, you could bypass the proxy and only allow access to the whitelisted sites in the script. Otherwise, you'll be stuck with a firewall that can proxy with an appliance. Link to comment Share on other sites More sharing options...
IcemanND Posted September 20, 2007 Author Share Posted September 20, 2007 A PAC might work. I've never had the need to do such, but from what I have found so far It might work. Have any sites I can look at for examples or good documentation? Link to comment Share on other sites More sharing options...
cluberti Posted September 20, 2007 Share Posted September 20, 2007 A PAC might work. I've never had the need to do such, but from what I have found so far It might work. Have any sites I can look at for examples or good documentation?Sure - here's one of my .js template files I keep that allows access to specific sites on any protocol, allows access to a specific site only via https, and blocks everything else on every protocol:// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ //// //// Very basic proxy autoconfig script //// //// Author: cluberti@cluberti.com //// //// Created: 4/21/2004 //// //// Last Modified: 6/11/2006 //// //// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ //function FindProxyForURL(url, host){ // See if we match "google.com" on // any protocol: if (shExpMatch(host, "google.com")) // if so, pass the packets // directly to the internet: return "DIRECT"; else // See if we match "*.google.com" on // any protocol: if (shExpMatch(host, "*.google.com")) // if so, pass the packets // directly to the internet: return "DIRECT"; else // See if we match the URL string // [url="https://mail.server.com"]https://mail.server.com[/url] (with any // trailing page): if (shExpMatch(host, "https://mail.server.com", "*/*")) // if so, allow https traffic to // any subpages on this site (*/*): return "DIRECT"; else // Rules to send all other traffic // to port 4321 on localhost, which // will have nothing listening and // thus will display a "Page could // not be displayed" error in the // user's browser: // http block rule: if (url.substring(0, 5) == "http:") return "PROXY 127.0.0.1.4321"; else // ftp block rule: if (url.substring(0, 4) == "ftp:") return "PROXY 127.0.0.1:4321"; else // gopher block rule: if (url.substring(0, 7) == "gopher:") return "PROXY 127.0.0.1:4321"; else // https block rule if (url.substring(0, 6) == "https:") return "PROXY 127.0.0.1.4321"; else // anything that doesn't match the // rules above, also block: return "PROXY 127.0.0.1:4321";}You can find more here, too:http://wp.netscape.com/eng/mozilla/2.0/rel...proxy-live.htmlhttp://www.microsoft.com/technet/prodtechn...k.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechn...s.mspx?mfr=truehttp://java.sun.com/j2se/1.4.2/docs/guide/...xie_config.html Link to comment Share on other sites More sharing options...
IcemanND Posted September 27, 2007 Author Share Posted September 27, 2007 Thanks for the info. Looks like this ill work if I can work one thing out. The existing proxy server we have requires authentication. Is there a way to automatically pass the windows credentials to authenticate?EDIT: Ok, the real question is how do I get IE to ask for authentication, or use the windows auth. It works as I would have expected in Firefox and asks for authentication. IE just gives an error.Proxy Authentication RequiredThis server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.EDIT 2: Seems to be a setting being dumped to my machine via domain GPO. Now I get to try and track it down. Link to comment Share on other sites More sharing options...
IcemanND Posted October 16, 2007 Author Share Posted October 16, 2007 ok, so I have a working script, at least for FF. Anyone have any idea what setting I am missing to get IE to prompt for authentication, or use the windows authentication automatically? Once I can get that to work I can be done with this, until next year. Link to comment Share on other sites More sharing options...
cluberti Posted October 16, 2007 Share Posted October 16, 2007 What type of auth is the proxy server using? IE will try to auth with user creds first unless it gets a proxy response specifying auth method - what does a network trace from the client show after the proxy sends the 401? Link to comment Share on other sites More sharing options...
IcemanND Posted October 16, 2007 Author Share Posted October 16, 2007 Since that is not my department I'm not sure. but I'll see what I can find out. It works fine if I don't use the script. If I put the proxy address in it stops and asks for authentication, but then they have access to anything, which we don't want. If I use the same server info and use a script to only allow the two desired sites I get no authentication.This only is happening with IE. Link to comment Share on other sites More sharing options...
cluberti Posted October 17, 2007 Share Posted October 17, 2007 I am specifically interested in the 401.2 response from your proxy server after the anon request from the client, and what WWW-Authenticate header is sent from the proxy. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now