We help IT Professionals succeed at work.
Get Started

Laptop/External Users And Content Filtering

Last Modified: 2013-11-16
Hi Experts,

I am stumped about how to filter my mobile users and hoping for some help. Heres the situation:

I have a Fortigate 200a @ the gateway that does content filtering (porn, etc) for internal clients beautifully. I also have set up a Squid NT proxy server that I use in several situations that require a very locked down machine. This all works well.

My challenge is that I am having a hard time finding a way to filter web content on the two dozen laptops we have that go external to the company. Here is what I have tried and why it doesnt work.
1. The first thing I tried was a product from Fortinet called Forticlient. In theory, it worked great, but in practice, less so. It caused so many problems with BSoD's on different builds, extreme slowness on others, and often times caused a timeout when trying to go to a page, while the next time you tried to go to the same page it worked just fine.
2. My next idea was proxying. I set up some test users and forced IE to use my internal proxy server. One of the challenges I had was how to handle hotspots and captive portals. If I just set a strait proxy and they were at a location that had a captive portal, they could not surf because the captive portal wouldnt allow them to go to the proxy server, and the proxy server wouldn't allow them to go to the captive portal to authenticate. So, I used a very, very simple proxy.pac that said to use the proxy server if available, else go direct. I set the users to go through the Squid box and gave them rights to everything (no filtering on the Squid box), but because they go through the Fortigate on the way in, they got filtered.

So option two worked great in a non captive portal environment, but here is where I am stumped. I have been testing this configuration out at a Panera bread and have seen two problems.
1. Because the proxy.pac is not available when IE starts (because of the captive portal not letting it out), even with the setting to recheck for the proxy settings every 10 minutes, it doesnt seem to ever update the proxy settings (I am going back tonight to test this again). This lets the user connect to whatever site they want to the first time they open up IE (unacceptable), although it will work correctly the next time they open IE and will try to proxy their traffic.
NOTE: I did try making the proxy.pac local so it was always available, but then from what I saw you still had the same problem in that when IE starts up, the proxy server couldn't be reached so everything went direct.  
2. What I then found out was that Panera is using a sonicwall for filtering, and they are blocking all proxied connections. In my case, I have the proxy server at port 3128 (Squid's default), but I just changed it to look for stuff on port 80 to see if I can trick it into thinking its web traffic.

Even if changing the ports works, I still can't accept the fact that the first time they open up IE its not going to be filtered.

I have looked at other options (8e6, websense, etc.), and I am having a hard time justifying spending thousands of dollars to filter so few of clients.

In a nutshell, my goal is to have my laptop users have all their web traffic filtered (100% of the time), both when they are internal and external, to be able to centrally manage the allow/block list so I can easily control what the can and cannot get to, and for this to work in a situation that has a captive portal in use without spending a lot (several thousand) of money.

If anyone has any suggestions, I would love to hear them, and if I need to provide further information, please let me know. Thanks!

//proxy.pac code
function FindProxyForURL(url, host) { return "PROXY proxy.com:80; DIRECT"; }

Open in new window

Watch Question
This problem has been solved!
Unlock 1 Answer and 9 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE