Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Best Way to Setup Windows-based Proxy / Content Filtering Server?

Posted on 2008-11-03
Medium Priority
Last Modified: 2013-11-22
I want to set up a Windows-based transparent proxy server. If Windows is not the best way to go let me know.

I want to accomplish this:
Control over Port 80 (hopefully block some spyware/malware), possibly even cloak 80 and use 8181 or something.
Web Caching
Web Content Filtering
Some form of QoS to control bandwidth
Simple Network Monitoring (SNMP, Netflow)

What would be the best software to get this done with, and what would be your recommendation?  I've seen some Windows based products such as WinProxy or CCProxy and they look okay...
I've also seen some linux products such as Squid or DansGuardian which look promising.  What do you think?
Question by:danielevans83
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5

Expert Comment

ID: 22865627
I would go with ISA 2006 from Microsoft.  Our company use ISA as a back end firewall as part of the DMZ - very good - easy to use and has excellent documentation.

Content filtering add-on  - websense

Author Comment

ID: 22865655
Is this an economically feasible solution for a small business with under 100 employees?

Expert Comment

ID: 22865666
If you already have a server that can do the job then the software is around 1000 GBP.
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 22872118
Are there any alternatives to MS software that are Windows based?  I prefer not to use MS products if I can help it.  I'd ultimately prefer a Squid Linux box set up if any linux guys are available on EE but if it will be a Windows box are there any other Windows options?

Author Comment

ID: 22886905
Oh nevermind, we have a copy of ISA 2006 might as well use it.

How complicated is it to set up the NIC cards? I'd be stringing this inbetween a router and switch that are using 802.1Q port tagging most likely, so the NIC would need to be configured as such as well.

If I can get the NICs set up right then I can start testing the ISA.

Expert Comment

ID: 22887060
The VLANS have to be included in the Internal network.

"Networks" are configured from ISAs point of view so if you have a "Network Behind a Network" , or access to internal subnets through an internal router, then logically all of those subnets are accessibile through the same interface, in ISAs point of view.

After this is defined, you then create Subnet objects (or Computer Sets or Computer objects)for your internal segments and then define Access Policies to these Subnets.

Network card configuration...

On the internal (facing the lan)  use internal dns servers and no gateway
On the external (facing the router) use no dns and a gateway of the router.
This is an edge firewall setup.  If you have a firewall on your router you could setup a dmz (depending on what apps you're using)  and have the isa as a back end firewall.

If you are using three network cards

setup a 3-leg perimeter network

setup your rules accordingly.

Author Comment

ID: 22890077
We currently have no DMZ setup but are using a Cisco 2811 router with CBAC firewall enabled. There are 2 data VLANs and 1 phone VLAN defined on the router that travel through the trunk port I'm talking about.

Would I be able to set up a single wire from the router to the NIC, and set the NIC for port tagging? If so what IP would I give the machine, or how would I give the machine an IP? Since the port the other NIC plugs into is a trunk that would also need to be 802.1Q.

Or would I need to have a single wire coming from each data subnet I want to protect?

My assumption is this: I need to set both NIC cards to 802.1Q port tagging, and somehow give the PC a "virtual IP" on one of those subnets to access it by. Similar to setting up a switch that uses 802.1Q. Is that accurate? If not how do you set up the NICs logically?

Expert Comment

ID: 22893178
When you enable VLAN tagging on the ISA Firewall's NIC(s), each VLAN will appear on the ISA Firewall as a different logical NIC.

Then within ISA define the scope of the internal network so that it has connectivity to the various vlans.  

On the internal switches Make the default gateway for all the VLANS the internal NIC of the ISA server.

Author Comment

ID: 22897275
After defining both NICs for VLAN tagging, how would I access the box at all? Currently it has a statically defined IP, but with tagging enabled it does not have an IP. This is my biggest confusion about setting this up. How would I still define it an IP so that I can remote desktop to it from the network on just one of the subnets?

Currently the default gateway for all VLANs is our router, and each subnet has an IP defined in that IP range all pointing to the same device, the router. So the logical interfaces on the router have the gateway IP's defined on them, not my switches.

I plan to wire this in behind the router and in front of our "core" switch. Would this involve me taking the IP settings off the Cisco router and defining each subnets gateway as the ISA server's logical IP? Would that interfere with the Cisco router doing any routing? Am I understanding you correctly?

Expert Comment

ID: 22904615
can all your separate vlans communicate with each other or are they isolated?

Author Comment

ID: 22908246
I have an ACL allowed certain IPs to communicate with other subnets, but overall they are isolated.

Author Comment

ID: 22908449
Just to try to get this working, I've wired it inbetween my desktop and the port on the wall.  I have the NICs setup as AC NOva suggested, with the Router NIC going towards the port on the wall, and Switch NIC going towards my desktop.

I had to assign an IP to each NIC so the server technically has two IPs. From the ISA server I can ping the internet and ping internal LAN users. When connecting through my desktop however I have no network connectivity, even when changing my desktop's Gateway to the ISA Server's IP.

How would I get basic connectivity to work. Forget 802.1Q for right now I want to get this functional with just a single desktop with one subnet then work on bringing the rest into it.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22909445
Daniel, I work in the ISA team and AC Nova has suggested i might be able to get involved in this one with you both - I am going to take this back a number of steps so that I can ask a number of questions before moving forwards again. I am in the UK so our time zones will be slightly off.

I note that the original question asked for recommendations but the question has now changed to how to setup an environment/network scenario so it has expanded quite a lot.

I agree with the recomnmendation made above - ISA server is likely the best product on the market to get a firewall and an application gateway/reverse proxy in one system. SBS Premium came with ISA server and this had a maximum of 75 users (sbs2003) so 100 users is certainly in the range. ISA can actually handle up to 10000 users per noode as itis extremely scaleable. You mentioned that were looking for a proxy server so I assume you do not need to use ISA as a firewall? Can you confirm?

What are the switches you are using?
What version of ISA server are you using?



Accepted Solution

danielevans83 earned 0 total points
ID: 22927183
It couldn't hurt to use ISA as a back end firewall but currently I'd just like to get it set up as a proxy server with possibly web content filtering and web caching.

We have a DLink DGS-3048 serving as the core of our network behind a Cisco 2811 Router. Branching off of the DLink like a wheel are a 3com 4500, 3com 4400, and two Dell Powerconnect 3248's.

We're MS Partners so we own all versions of ISA for training purposes. I had installed 2006 on a test server and was playing around with it trying to get it set up.

I've heard of two different ways to set up a proxy, as a node with a single NIC. Or with dual NICs and wiring it physically inbetween the router and switch. The latter is what I'd like to accomplish.

The wire connecting our Router and Core Switch has port tagging 802.1q enabled so the proxy will be looking at two data subnets and also a VOIP subnet. I'd obviously like to ignore the VOIP subnet but proxy the two data subnets (one for our staff and another for our contractors).

My issue right now is just getting the physical wiring of it inbetween the router and switch to pass through data. I've heard that I'd need to set this proxy server as my subnets gateway and basically have it do the routing instead of the Router. Accurate or no?

Is that confusing or does that paint a better picture of what I'm trying to accomplish?

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

this article is a guided solution for most of the common server issues in server hardware tasks we are facing in our routine job works. the topics in the following article covered are, 1) dell hardware raidlevel (Perc) 2) adding HDD 3) how t…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question