Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Best Way to Setup Windows-based Proxy / Content Filtering Server?

Posted on 2008-11-03
14
Medium Priority
?
3,826 Views
Last Modified: 2013-11-22
I want to set up a Windows-based transparent proxy server. If Windows is not the best way to go let me know.

I want to accomplish this:
Control over Port 80 (hopefully block some spyware/malware), possibly even cloak 80 and use 8181 or something.
HTTP/HTTPS Proxy
Web Caching
Web Content Filtering
Some form of QoS to control bandwidth
Simple Network Monitoring (SNMP, Netflow)

What would be the best software to get this done with, and what would be your recommendation?  I've seen some Windows based products such as WinProxy or CCProxy and they look okay...
I've also seen some linux products such as Squid or DansGuardian which look promising.  What do you think?
0
Comment
Question by:danielevans83
  • 8
  • 5
14 Comments
 
LVL 5

Expert Comment

by:AC_Nova
ID: 22865627
I would go with ISA 2006 from Microsoft.  Our company use ISA as a back end firewall as part of the DMZ - very good - easy to use and has excellent documentation.

Content filtering add-on  - websense

www.isaserver.org

http://www.microsoft.com/isaserver/prodinfo/features.mspx
0
 

Author Comment

by:danielevans83
ID: 22865655
Is this an economically feasible solution for a small business with under 100 employees?
0
 
LVL 5

Expert Comment

by:AC_Nova
ID: 22865666
If you already have a server that can do the job then the software is around 1000 GBP.
0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 

Author Comment

by:danielevans83
ID: 22872118
Are there any alternatives to MS software that are Windows based?  I prefer not to use MS products if I can help it.  I'd ultimately prefer a Squid Linux box set up if any linux guys are available on EE but if it will be a Windows box are there any other Windows options?
0
 

Author Comment

by:danielevans83
ID: 22886905
Oh nevermind, we have a copy of ISA 2006 might as well use it.

How complicated is it to set up the NIC cards? I'd be stringing this inbetween a router and switch that are using 802.1Q port tagging most likely, so the NIC would need to be configured as such as well.

If I can get the NICs set up right then I can start testing the ISA.
0
 
LVL 5

Expert Comment

by:AC_Nova
ID: 22887060
The VLANS have to be included in the Internal network.

"Networks" are configured from ISAs point of view so if you have a "Network Behind a Network" , or access to internal subnets through an internal router, then logically all of those subnets are accessibile through the same interface, in ISAs point of view.

After this is defined, you then create Subnet objects (or Computer Sets or Computer objects)for your internal segments and then define Access Policies to these Subnets.

Network card configuration...

On the internal (facing the lan)  use internal dns servers and no gateway
On the external (facing the router) use no dns and a gateway of the router.
This is an edge firewall setup.  If you have a firewall on your router you could setup a dmz (depending on what apps you're using)  and have the isa as a back end firewall.

If you are using three network cards

setup a 3-leg perimeter network

setup your rules accordingly.
back-firewall.JPG
3leg-5B2-5D.jpg
0
 

Author Comment

by:danielevans83
ID: 22890077
We currently have no DMZ setup but are using a Cisco 2811 router with CBAC firewall enabled. There are 2 data VLANs and 1 phone VLAN defined on the router that travel through the trunk port I'm talking about.

Would I be able to set up a single wire from the router to the NIC, and set the NIC for port tagging? If so what IP would I give the machine, or how would I give the machine an IP? Since the port the other NIC plugs into is a trunk that would also need to be 802.1Q.

Or would I need to have a single wire coming from each data subnet I want to protect?

My assumption is this: I need to set both NIC cards to 802.1Q port tagging, and somehow give the PC a "virtual IP" on one of those subnets to access it by. Similar to setting up a switch that uses 802.1Q. Is that accurate? If not how do you set up the NICs logically?
0
 
LVL 5

Expert Comment

by:AC_Nova
ID: 22893178
When you enable VLAN tagging on the ISA Firewall's NIC(s), each VLAN will appear on the ISA Firewall as a different logical NIC.

Then within ISA define the scope of the internal network so that it has connectivity to the various vlans.  

On the internal switches Make the default gateway for all the VLANS the internal NIC of the ISA server.
0
 

Author Comment

by:danielevans83
ID: 22897275
After defining both NICs for VLAN tagging, how would I access the box at all? Currently it has a statically defined IP, but with tagging enabled it does not have an IP. This is my biggest confusion about setting this up. How would I still define it an IP so that I can remote desktop to it from the network on just one of the subnets?

Currently the default gateway for all VLANs is our router, and each subnet has an IP defined in that IP range all pointing to the same device, the router. So the logical interfaces on the router have the gateway IP's defined on them, not my switches.

I plan to wire this in behind the router and in front of our "core" switch. Would this involve me taking the IP settings off the Cisco router and defining each subnets gateway as the ISA server's logical IP? Would that interfere with the Cisco router doing any routing? Am I understanding you correctly?
0
 
LVL 5

Expert Comment

by:AC_Nova
ID: 22904615
can all your separate vlans communicate with each other or are they isolated?
0
 

Author Comment

by:danielevans83
ID: 22908246
I have an ACL allowed certain IPs to communicate with other subnets, but overall they are isolated.
0
 

Author Comment

by:danielevans83
ID: 22908449
Just to try to get this working, I've wired it inbetween my desktop and the port on the wall.  I have the NICs setup as AC NOva suggested, with the Router NIC going towards the port on the wall, and Switch NIC going towards my desktop.

I had to assign an IP to each NIC so the server technically has two IPs. From the ISA server I can ping the internet and ping internal LAN users. When connecting through my desktop however I have no network connectivity, even when changing my desktop's Gateway to the ISA Server's IP.

How would I get basic connectivity to work. Forget 802.1Q for right now I want to get this functional with just a single desktop with one subnet then work on bringing the rest into it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22909445
Daniel, I work in the ISA team and AC Nova has suggested i might be able to get involved in this one with you both - I am going to take this back a number of steps so that I can ask a number of questions before moving forwards again. I am in the UK so our time zones will be slightly off.

I note that the original question asked for recommendations but the question has now changed to how to setup an environment/network scenario so it has expanded quite a lot.

I agree with the recomnmendation made above - ISA server is likely the best product on the market to get a firewall and an application gateway/reverse proxy in one system. SBS Premium came with ISA server and this had a maximum of 75 users (sbs2003) so 100 users is certainly in the range. ISA can actually handle up to 10000 users per noode as itis extremely scaleable. You mentioned that were looking for a proxy server so I assume you do not need to use ISA as a firewall? Can you confirm?

What are the switches you are using?
What version of ISA server are you using?

Keith
ISA MVP


0
 

Accepted Solution

by:
danielevans83 earned 0 total points
ID: 22927183
It couldn't hurt to use ISA as a back end firewall but currently I'd just like to get it set up as a proxy server with possibly web content filtering and web caching.

We have a DLink DGS-3048 serving as the core of our network behind a Cisco 2811 Router. Branching off of the DLink like a wheel are a 3com 4500, 3com 4400, and two Dell Powerconnect 3248's.

We're MS Partners so we own all versions of ISA for training purposes. I had installed 2006 on a test server and was playing around with it trying to get it set up.

I've heard of two different ways to set up a proxy, as a node with a single NIC. Or with dual NICs and wiring it physically inbetween the router and switch. The latter is what I'd like to accomplish.

The wire connecting our Router and Core Switch has port tagging 802.1q enabled so the proxy will be looking at two data subnets and also a VOIP subnet. I'd obviously like to ignore the VOIP subnet but proxy the two data subnets (one for our staff and another for our contractors).

My issue right now is just getting the physical wiring of it inbetween the router and switch to pass through data. I've heard that I'd need to set this proxy server as my subnets gateway and basically have it do the routing instead of the Router. Accurate or no?

Is that confusing or does that paint a better picture of what I'm trying to accomplish?
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question