Router to external proxy?
I want to set up a router at a sales office, block all traffic except for ports 80 & 443 and have all port 80/443 run through an external (off-site) proxy.
Are there any routers that can block all ports except 80 & 443 and then send all of that traffic to an off-site proxy?
Are there any routers that can block all ports except 80 & 443 and then send all of that traffic to an off-site proxy?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Even if the off-site proxy is not adjacent you can try to use "ip next-hop recursive". Quote "If the recursive next-hop IP address is not available, packets are routed using a default route. "
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch20/h_12spbr.htm
Of course the packet cannot be modified in anyway on route to it destination.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch20/h_12spbr.htm
Of course the packet cannot be modified in anyway on route to it destination.
ASKER
Is there a less expensive router that can be used to accomplish this?
The goal is to give internet access to the remote location but to filter out porn and stuff using our home office proxy/filter. There is only a Netgear wireless router there at this time (not even a PC) for the agents to use with their laptops.
The laptops (max surfers probably 30 - if sponsoring a meeting) are the property of the agents - so we don't want to require that they place filtering software on them (and we couldn't enforce that anyway on their personal equipment). And, placing a PC in each location to do filtering could run upwards of $1000 - with a high probability of theft or tinkering.
I really thought that there might be a less expensive solution (like a simple, inexpensive wireless router that could route all traffic directly to our proxy) to allow us to just make sure that nothing was being surfed that may offend potential clients. Yes - we've had it happen before. And, although we can fire the agents involved - that doesn't mean we can still close the client.
The goal is to give internet access to the remote location but to filter out porn and stuff using our home office proxy/filter. There is only a Netgear wireless router there at this time (not even a PC) for the agents to use with their laptops.
The laptops (max surfers probably 30 - if sponsoring a meeting) are the property of the agents - so we don't want to require that they place filtering software on them (and we couldn't enforce that anyway on their personal equipment). And, placing a PC in each location to do filtering could run upwards of $1000 - with a high probability of theft or tinkering.
I really thought that there might be a less expensive solution (like a simple, inexpensive wireless router that could route all traffic directly to our proxy) to allow us to just make sure that nothing was being surfed that may offend potential clients. Yes - we've had it happen before. And, although we can fire the agents involved - that doesn't mean we can still close the client.
If you give them access to your filter can't you just change their proxy address in their browsers or their local pc's using proxycfg?
proxycfg -d -p myProxyServer:80 "<local>"
http://support.microsoft.com/kb/289481
proxycfg -d -p myProxyServer:80 "<local>"
http://support.microsoft.com/kb/289481
At least when you configure a proxy address (FIRST OPTION above) you can block all http and https traffic going out of the current wireless device and only allow the proxy port and server you have configured at your head office.
If you still want an inexpensive wireless router you might consider purchasing a Wireless VPN router. Set it up so they are just another subnet of your main office and all traffic has to go through your main office. This will require one at the main office as well.
e.g.
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1118334818934&pagename=Linksys%2FCommon%2FVisitorWrapper
remote office--------->Linksys---
VPN ONLY TO HEAD OFFICE.
This option is still more work than the first.
If you still want an inexpensive wireless router you might consider purchasing a Wireless VPN router. Set it up so they are just another subnet of your main office and all traffic has to go through your main office. This will require one at the main office as well.
e.g.
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1118334818934&pagename=Linksys%2FCommon%2FVisitorWrapper
remote office--------->Linksys---
VPN ONLY TO HEAD OFFICE.
This option is still more work than the first.
Hi,
If your customer can do the following:
1- Separate the intranet (office) from the Internet.
2- Put a server connected to both networks (Windows or linux)
3- Run on the dual-homed server a proxy server S/W (e.g. Windows Proxy or any freeware like apache)
4- Now, on the proxy server you can put access lists, etc. to block sites, or you may buy commercial filtering S/W. Or, if your ISP has a proxy service, you may configure the proxy server to point to it.
5- All the PCs on the intranet (office) can configure their browsers to use the proxy server on the dual-homed server.
If your customer can do the following:
1- Separate the intranet (office) from the Internet.
2- Put a server connected to both networks (Windows or linux)
3- Run on the dual-homed server a proxy server S/W (e.g. Windows Proxy or any freeware like apache)
4- Now, on the proxy server you can put access lists, etc. to block sites, or you may buy commercial filtering S/W. Or, if your ISP has a proxy service, you may configure the proxy server to point to it.
5- All the PCs on the intranet (office) can configure their browsers to use the proxy server on the dual-homed server.
A very good point to make. The upstream proxy would have to allow you to route to it directly. If this upstream proxy is external (at a third party ISP) this might/probably wont work unless you have a direct route to it.