Firewall Wizards mailing list archives
Re: Forcing All Web traffice thew a remote proxy.
From: "Behm, Jeffrey L." <BehmJL () bv com>
Date: Fri, 20 Oct 2006 12:57:15 -0500
This client is also split among multiple locations. The catch is that all web surfing comes back to the main office (ok, one of three main hub offices) and exits the network there through the proxy server(one proxy server in each of the three "main" locations). The remote sites utilize site to site IPSec VPN to connect back to the main office. The upside to that is that web surfing is centrally managed (via content filtering on the proxy server) and logged (web usage reporting). The downside is that websurfing traffic all converges into the main office, so the loss ends up being the ability to distribute web surfing traffic across all those Internet connections (i.e. the loss is a bunch of distributed bandwidth). Jeff -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Craig Van Tassle Sent: Thursday, October 19, 2006 3:08 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Forcing All Web traffice thew a remote proxy. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That is the plan we are going to move to eventually, but for now its manualy set threw a the group policy. Let me give you a little bit more of a layout. site1-<>vpn<>internet<>main office site2-<>vpn<>internet<>-^ site3-<>vpn<>internet<>-^ As you can see, we don't have a single Internet Firewall, if it was all in one location then yea that would be easy to do, but we are split up across multiple locations. Behm, Jeffrey L. wrote:
For one client of ours, we blocked all outbound port 80 traffic at the Internet firewall (with some exceptions, as usual!), and then use an "automatic configuration script" that is on the HTTP proxy. When the browser fires up on the end-user PC, it first contacts the proxy
server
to retrieve the .pac file (auto config script), and based on where it
is
headed and/or where it came from, it is directed to one of three HTTP proxy servers. Using the auto config script allows us to centrally manage where PC's go for web surfing(via changes to the .pac file).
It's
the block of direct port 80 access at the Internet firewall that "forces" the PC's to comply with use of the script. I guess they could od manual entry of the proxy settings, but most end users don't quite get how to do that. Additionally, use of active directory group policy "resets" the proxy settings on a regular basis to "force" use the .pac file. Here's a Microsoft Technet article on Automatic Proxy.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk
/Ch21_b.mspx?mfr=true It talks about using Automatic Configuration and Automatic Proxy. We
are
using the latter only. The proxy you are directed to does not *have*
to
be a Microsoft proxy. We have some traffic head to a squid proxy on a Solaris machine(long story). Hope this helps, Jeff -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Craig Van Tassle Sent: Tuesday, October 17, 2006 10:36 AM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Forcing All Web traffice thew a remote proxy. I have several site and I would like to force all traffic thew a
remote
proxy at one site. I was thinking of setting up some form of NAT rules for pushing everything thew our proxy. How would something like that be implimented? Or what are other
thoughs?
Thanks, Craig
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFN9suAOTIJ89W4sIRAhHKAJ98IPUdfJp1BiqV4z1+RCuBEm9w6wCfS+B4 s+3ilYhXjdM1QOeVVb2EbHo= =tpSf -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Forcing All Web traffice thew a remote proxy. Craig Van Tassle (Oct 17)
- Re: Forcing All Web traffice thew a remote proxy. John Adams (Oct 19)
- <Possible follow-ups>
- Re: Forcing All Web traffice thew a remote proxy. Behm, Jeffrey L. (Oct 19)
- Re: Forcing All Web traffice thew a remote proxy. Craig Van Tassle (Oct 20)
- Re: Forcing All Web traffice thew a remote proxy. Shahin Ansari (Oct 23)
- Re: Forcing All Web traffice thew a remote proxy. Behm, Jeffrey L. (Oct 23)