Solved

Best Way to Setup Windows-based Proxy / Content Filtering Server?

Posted on 2008-11-03
14
3,769 Views
Last Modified: 2013-11-22
I want to set up a Windows-based transparent proxy server. If Windows is not the best way to go let me know.

I want to accomplish this:
Control over Port 80 (hopefully block some spyware/malware), possibly even cloak 80 and use 8181 or something.
HTTP/HTTPS Proxy
Web Caching
Web Content Filtering
Some form of QoS to control bandwidth
Simple Network Monitoring (SNMP, Netflow)

What would be the best software to get this done with, and what would be your recommendation?  I've seen some Windows based products such as WinProxy or CCProxy and they look okay...
I've also seen some linux products such as Squid or DansGuardian which look promising.  What do you think?
0
Comment
Question by:danielevans83
  • 8
  • 5
14 Comments
 
LVL 5

Expert Comment

by:AC_Nova
Comment Utility
I would go with ISA 2006 from Microsoft.  Our company use ISA as a back end firewall as part of the DMZ - very good - easy to use and has excellent documentation.

Content filtering add-on  - websense

www.isaserver.org

http://www.microsoft.com/isaserver/prodinfo/features.mspx
0
 

Author Comment

by:danielevans83
Comment Utility
Is this an economically feasible solution for a small business with under 100 employees?
0
 
LVL 5

Expert Comment

by:AC_Nova
Comment Utility
If you already have a server that can do the job then the software is around 1000 GBP.
0
 

Author Comment

by:danielevans83
Comment Utility
Are there any alternatives to MS software that are Windows based?  I prefer not to use MS products if I can help it.  I'd ultimately prefer a Squid Linux box set up if any linux guys are available on EE but if it will be a Windows box are there any other Windows options?
0
 

Author Comment

by:danielevans83
Comment Utility
Oh nevermind, we have a copy of ISA 2006 might as well use it.

How complicated is it to set up the NIC cards? I'd be stringing this inbetween a router and switch that are using 802.1Q port tagging most likely, so the NIC would need to be configured as such as well.

If I can get the NICs set up right then I can start testing the ISA.
0
 
LVL 5

Expert Comment

by:AC_Nova
Comment Utility
The VLANS have to be included in the Internal network.

"Networks" are configured from ISAs point of view so if you have a "Network Behind a Network" , or access to internal subnets through an internal router, then logically all of those subnets are accessibile through the same interface, in ISAs point of view.

After this is defined, you then create Subnet objects (or Computer Sets or Computer objects)for your internal segments and then define Access Policies to these Subnets.

Network card configuration...

On the internal (facing the lan)  use internal dns servers and no gateway
On the external (facing the router) use no dns and a gateway of the router.
This is an edge firewall setup.  If you have a firewall on your router you could setup a dmz (depending on what apps you're using)  and have the isa as a back end firewall.

If you are using three network cards

setup a 3-leg perimeter network

setup your rules accordingly.
back-firewall.JPG
3leg-5B2-5D.jpg
0
 

Author Comment

by:danielevans83
Comment Utility
We currently have no DMZ setup but are using a Cisco 2811 router with CBAC firewall enabled. There are 2 data VLANs and 1 phone VLAN defined on the router that travel through the trunk port I'm talking about.

Would I be able to set up a single wire from the router to the NIC, and set the NIC for port tagging? If so what IP would I give the machine, or how would I give the machine an IP? Since the port the other NIC plugs into is a trunk that would also need to be 802.1Q.

Or would I need to have a single wire coming from each data subnet I want to protect?

My assumption is this: I need to set both NIC cards to 802.1Q port tagging, and somehow give the PC a "virtual IP" on one of those subnets to access it by. Similar to setting up a switch that uses 802.1Q. Is that accurate? If not how do you set up the NICs logically?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 5

Expert Comment

by:AC_Nova
Comment Utility
When you enable VLAN tagging on the ISA Firewall's NIC(s), each VLAN will appear on the ISA Firewall as a different logical NIC.

Then within ISA define the scope of the internal network so that it has connectivity to the various vlans.  

On the internal switches Make the default gateway for all the VLANS the internal NIC of the ISA server.
0
 

Author Comment

by:danielevans83
Comment Utility
After defining both NICs for VLAN tagging, how would I access the box at all? Currently it has a statically defined IP, but with tagging enabled it does not have an IP. This is my biggest confusion about setting this up. How would I still define it an IP so that I can remote desktop to it from the network on just one of the subnets?

Currently the default gateway for all VLANs is our router, and each subnet has an IP defined in that IP range all pointing to the same device, the router. So the logical interfaces on the router have the gateway IP's defined on them, not my switches.

I plan to wire this in behind the router and in front of our "core" switch. Would this involve me taking the IP settings off the Cisco router and defining each subnets gateway as the ISA server's logical IP? Would that interfere with the Cisco router doing any routing? Am I understanding you correctly?
0
 
LVL 5

Expert Comment

by:AC_Nova
Comment Utility
can all your separate vlans communicate with each other or are they isolated?
0
 

Author Comment

by:danielevans83
Comment Utility
I have an ACL allowed certain IPs to communicate with other subnets, but overall they are isolated.
0
 

Author Comment

by:danielevans83
Comment Utility
Just to try to get this working, I've wired it inbetween my desktop and the port on the wall.  I have the NICs setup as AC NOva suggested, with the Router NIC going towards the port on the wall, and Switch NIC going towards my desktop.

I had to assign an IP to each NIC so the server technically has two IPs. From the ISA server I can ping the internet and ping internal LAN users. When connecting through my desktop however I have no network connectivity, even when changing my desktop's Gateway to the ISA Server's IP.

How would I get basic connectivity to work. Forget 802.1Q for right now I want to get this functional with just a single desktop with one subnet then work on bringing the rest into it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Daniel, I work in the ISA team and AC Nova has suggested i might be able to get involved in this one with you both - I am going to take this back a number of steps so that I can ask a number of questions before moving forwards again. I am in the UK so our time zones will be slightly off.

I note that the original question asked for recommendations but the question has now changed to how to setup an environment/network scenario so it has expanded quite a lot.

I agree with the recomnmendation made above - ISA server is likely the best product on the market to get a firewall and an application gateway/reverse proxy in one system. SBS Premium came with ISA server and this had a maximum of 75 users (sbs2003) so 100 users is certainly in the range. ISA can actually handle up to 10000 users per noode as itis extremely scaleable. You mentioned that were looking for a proxy server so I assume you do not need to use ISA as a firewall? Can you confirm?

What are the switches you are using?
What version of ISA server are you using?

Keith
ISA MVP


0
 

Accepted Solution

by:
danielevans83 earned 0 total points
Comment Utility
It couldn't hurt to use ISA as a back end firewall but currently I'd just like to get it set up as a proxy server with possibly web content filtering and web caching.

We have a DLink DGS-3048 serving as the core of our network behind a Cisco 2811 Router. Branching off of the DLink like a wheel are a 3com 4500, 3com 4400, and two Dell Powerconnect 3248's.

We're MS Partners so we own all versions of ISA for training purposes. I had installed 2006 on a test server and was playing around with it trying to get it set up.

I've heard of two different ways to set up a proxy, as a node with a single NIC. Or with dual NICs and wiring it physically inbetween the router and switch. The latter is what I'd like to accomplish.

The wire connecting our Router and Core Switch has port tagging 802.1q enabled so the proxy will be looking at two data subnets and also a VOIP subnet. I'd obviously like to ignore the VOIP subnet but proxy the two data subnets (one for our staff and another for our contractors).

My issue right now is just getting the physical wiring of it inbetween the router and switch to pass through data. I've heard that I'd need to set this proxy server as my subnets gateway and basically have it do the routing instead of the Router. Accurate or no?

Is that confusing or does that paint a better picture of what I'm trying to accomplish?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now