Best Way to Setup Windows-based Proxy / Content Filtering Server?

I want to set up a Windows-based transparent proxy server. If Windows is not the best way to go let me know.

I want to accomplish this:
Control over Port 80 (hopefully block some spyware/malware), possibly even cloak 80 and use 8181 or something.
Web Caching
Web Content Filtering
Some form of QoS to control bandwidth
Simple Network Monitoring (SNMP, Netflow)

What would be the best software to get this done with, and what would be your recommendation?  I've seen some Windows based products such as WinProxy or CCProxy and they look okay...
I've also seen some linux products such as Squid or DansGuardian which look promising.  What do you think?
Who is Participating?
danielevans83Connect With a Mentor Author Commented:
It couldn't hurt to use ISA as a back end firewall but currently I'd just like to get it set up as a proxy server with possibly web content filtering and web caching.

We have a DLink DGS-3048 serving as the core of our network behind a Cisco 2811 Router. Branching off of the DLink like a wheel are a 3com 4500, 3com 4400, and two Dell Powerconnect 3248's.

We're MS Partners so we own all versions of ISA for training purposes. I had installed 2006 on a test server and was playing around with it trying to get it set up.

I've heard of two different ways to set up a proxy, as a node with a single NIC. Or with dual NICs and wiring it physically inbetween the router and switch. The latter is what I'd like to accomplish.

The wire connecting our Router and Core Switch has port tagging 802.1q enabled so the proxy will be looking at two data subnets and also a VOIP subnet. I'd obviously like to ignore the VOIP subnet but proxy the two data subnets (one for our staff and another for our contractors).

My issue right now is just getting the physical wiring of it inbetween the router and switch to pass through data. I've heard that I'd need to set this proxy server as my subnets gateway and basically have it do the routing instead of the Router. Accurate or no?

Is that confusing or does that paint a better picture of what I'm trying to accomplish?
I would go with ISA 2006 from Microsoft.  Our company use ISA as a back end firewall as part of the DMZ - very good - easy to use and has excellent documentation.

Content filtering add-on  - websense
danielevans83Author Commented:
Is this an economically feasible solution for a small business with under 100 employees?
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

If you already have a server that can do the job then the software is around 1000 GBP.
danielevans83Author Commented:
Are there any alternatives to MS software that are Windows based?  I prefer not to use MS products if I can help it.  I'd ultimately prefer a Squid Linux box set up if any linux guys are available on EE but if it will be a Windows box are there any other Windows options?
danielevans83Author Commented:
Oh nevermind, we have a copy of ISA 2006 might as well use it.

How complicated is it to set up the NIC cards? I'd be stringing this inbetween a router and switch that are using 802.1Q port tagging most likely, so the NIC would need to be configured as such as well.

If I can get the NICs set up right then I can start testing the ISA.
The VLANS have to be included in the Internal network.

"Networks" are configured from ISAs point of view so if you have a "Network Behind a Network" , or access to internal subnets through an internal router, then logically all of those subnets are accessibile through the same interface, in ISAs point of view.

After this is defined, you then create Subnet objects (or Computer Sets or Computer objects)for your internal segments and then define Access Policies to these Subnets.

Network card configuration...

On the internal (facing the lan)  use internal dns servers and no gateway
On the external (facing the router) use no dns and a gateway of the router.
This is an edge firewall setup.  If you have a firewall on your router you could setup a dmz (depending on what apps you're using)  and have the isa as a back end firewall.

If you are using three network cards

setup a 3-leg perimeter network

setup your rules accordingly.
danielevans83Author Commented:
We currently have no DMZ setup but are using a Cisco 2811 router with CBAC firewall enabled. There are 2 data VLANs and 1 phone VLAN defined on the router that travel through the trunk port I'm talking about.

Would I be able to set up a single wire from the router to the NIC, and set the NIC for port tagging? If so what IP would I give the machine, or how would I give the machine an IP? Since the port the other NIC plugs into is a trunk that would also need to be 802.1Q.

Or would I need to have a single wire coming from each data subnet I want to protect?

My assumption is this: I need to set both NIC cards to 802.1Q port tagging, and somehow give the PC a "virtual IP" on one of those subnets to access it by. Similar to setting up a switch that uses 802.1Q. Is that accurate? If not how do you set up the NICs logically?
When you enable VLAN tagging on the ISA Firewall's NIC(s), each VLAN will appear on the ISA Firewall as a different logical NIC.

Then within ISA define the scope of the internal network so that it has connectivity to the various vlans.  

On the internal switches Make the default gateway for all the VLANS the internal NIC of the ISA server.
danielevans83Author Commented:
After defining both NICs for VLAN tagging, how would I access the box at all? Currently it has a statically defined IP, but with tagging enabled it does not have an IP. This is my biggest confusion about setting this up. How would I still define it an IP so that I can remote desktop to it from the network on just one of the subnets?

Currently the default gateway for all VLANs is our router, and each subnet has an IP defined in that IP range all pointing to the same device, the router. So the logical interfaces on the router have the gateway IP's defined on them, not my switches.

I plan to wire this in behind the router and in front of our "core" switch. Would this involve me taking the IP settings off the Cisco router and defining each subnets gateway as the ISA server's logical IP? Would that interfere with the Cisco router doing any routing? Am I understanding you correctly?
can all your separate vlans communicate with each other or are they isolated?
danielevans83Author Commented:
I have an ACL allowed certain IPs to communicate with other subnets, but overall they are isolated.
danielevans83Author Commented:
Just to try to get this working, I've wired it inbetween my desktop and the port on the wall.  I have the NICs setup as AC NOva suggested, with the Router NIC going towards the port on the wall, and Switch NIC going towards my desktop.

I had to assign an IP to each NIC so the server technically has two IPs. From the ISA server I can ping the internet and ping internal LAN users. When connecting through my desktop however I have no network connectivity, even when changing my desktop's Gateway to the ISA Server's IP.

How would I get basic connectivity to work. Forget 802.1Q for right now I want to get this functional with just a single desktop with one subnet then work on bringing the rest into it.
Keith AlabasterEnterprise ArchitectCommented:
Daniel, I work in the ISA team and AC Nova has suggested i might be able to get involved in this one with you both - I am going to take this back a number of steps so that I can ask a number of questions before moving forwards again. I am in the UK so our time zones will be slightly off.

I note that the original question asked for recommendations but the question has now changed to how to setup an environment/network scenario so it has expanded quite a lot.

I agree with the recomnmendation made above - ISA server is likely the best product on the market to get a firewall and an application gateway/reverse proxy in one system. SBS Premium came with ISA server and this had a maximum of 75 users (sbs2003) so 100 users is certainly in the range. ISA can actually handle up to 10000 users per noode as itis extremely scaleable. You mentioned that were looking for a proxy server so I assume you do not need to use ISA as a firewall? Can you confirm?

What are the switches you are using?
What version of ISA server are you using?


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.