Link to home
Start Free TrialLog in
Avatar of Clayton Pruett
Clayton PruettFlag for United States of America

asked on

Laptop/External Users And Content Filtering

Hi Experts,

I am stumped about how to filter my mobile users and hoping for some help. Heres the situation:

I have a Fortigate 200a @ the gateway that does content filtering (porn, etc) for internal clients beautifully. I also have set up a Squid NT proxy server that I use in several situations that require a very locked down machine. This all works well.

My challenge is that I am having a hard time finding a way to filter web content on the two dozen laptops we have that go external to the company. Here is what I have tried and why it doesnt work.
1. The first thing I tried was a product from Fortinet called Forticlient. In theory, it worked great, but in practice, less so. It caused so many problems with BSoD's on different builds, extreme slowness on others, and often times caused a timeout when trying to go to a page, while the next time you tried to go to the same page it worked just fine.
2. My next idea was proxying. I set up some test users and forced IE to use my internal proxy server. One of the challenges I had was how to handle hotspots and captive portals. If I just set a strait proxy and they were at a location that had a captive portal, they could not surf because the captive portal wouldnt allow them to go to the proxy server, and the proxy server wouldn't allow them to go to the captive portal to authenticate. So, I used a very, very simple proxy.pac that said to use the proxy server if available, else go direct. I set the users to go through the Squid box and gave them rights to everything (no filtering on the Squid box), but because they go through the Fortigate on the way in, they got filtered.

So option two worked great in a non captive portal environment, but here is where I am stumped. I have been testing this configuration out at a Panera bread and have seen two problems.
1. Because the proxy.pac is not available when IE starts (because of the captive portal not letting it out), even with the setting to recheck for the proxy settings every 10 minutes, it doesnt seem to ever update the proxy settings (I am going back tonight to test this again). This lets the user connect to whatever site they want to the first time they open up IE (unacceptable), although it will work correctly the next time they open IE and will try to proxy their traffic.
NOTE: I did try making the proxy.pac local so it was always available, but then from what I saw you still had the same problem in that when IE starts up, the proxy server couldn't be reached so everything went direct.  
2. What I then found out was that Panera is using a sonicwall for filtering, and they are blocking all proxied connections. In my case, I have the proxy server at port 3128 (Squid's default), but I just changed it to look for stuff on port 80 to see if I can trick it into thinking its web traffic.

Even if changing the ports works, I still can't accept the fact that the first time they open up IE its not going to be filtered.

I have looked at other options (8e6, websense, etc.), and I am having a hard time justifying spending thousands of dollars to filter so few of clients.

In a nutshell, my goal is to have my laptop users have all their web traffic filtered (100% of the time), both when they are internal and external, to be able to centrally manage the allow/block list so I can easily control what the can and cannot get to, and for this to work in a situation that has a captive portal in use without spending a lot (several thousand) of money.

If anyone has any suggestions, I would love to hear them, and if I need to provide further information, please let me know. Thanks!

//proxy.pac code
function FindProxyForURL(url, host) { return "PROXY proxy.com:80; DIRECT"; }

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Clayton Pruett
Clayton Pruett
Flag of United States of America image

ASKER

jhyiesla,

thanks for the quick reply.

so postini looks like a possible solution, but i have one concern. heres the quote from the site:
Usage requirements
Available only as an add-on to Google Message Security or Google Message Discovery
Minimum 100 user order required. Online purchases not yet available. For more information contact our sales department.

I am afraid this will ramp the price up so high it will be unusable. I put a call into google (no answer, guess they couldnt afford a receptionist), but as soon as I hear something back I will let you know.

Thanks!
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
I do believe that the 100 user minimum is right... not sure about what the others mean... we're already a customer using their spam filtering for email so that wasn't a concern.  But it's worth asking if you can just do the web filtering or not.  I know that there is separate pricing for filtering and for mobile filtering... don't have the pricing stuff readily available at my desk.

I believe that Posini actually partners with Scansafe (www.scansafe,com).  You might check out their web site.  I don't think that ScanSafe sells directly, but if Posini is putting too many twists on it that it becomes too expensive, you might try contacting ScanSafe directly to see if another partner may be more willing to sell at a better price.
Avatar of Clayton Pruett
Clayton Pruett
Flag of United States of America image

ASKER

one other approach to this i thought of was:

if the pac file was put on the local machine and the pac file detected the local network and used direct connections for anything on the local subnet and used the proxy for everything else, that might work.

anyone handy with some javascript/pac file scripting?

jhyiesla: havent given up on postini, still no returned call, fyi
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
Did you contact their sales number from the web page... that's usually the best way... my guy is pretty responsive. I can get you his info, but not sure if they split things up by territory or what.
Avatar of Clayton Pruett
Clayton Pruett
Flag of United States of America image

ASKER

jhyiesla,

do you have that contact number? I am having the hardest time getting them to call me back or to talk to someone.

if postini works like it sounds (will have to test) and they will sell to us without meeting the 100 user minimum, i will give you the points.

otherwise, it am still without a solution. frankly, i am floored that this common of a solution is this challenging to fix!

thanks and have a good one!
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
It's been a bit since I spoke with him so I assume that he's still there :)

His name is John Pullen and the number I have for him is 937-747-4560
Avatar of Clayton Pruett
Clayton Pruett
Flag of United States of America image

ASKER

jhyiesla,

so, first off thanks for the help.

i am going to accept your postini answer as a solution, but with reservations (this is mostly for anyone that reads this in the future)

postini looks like it will work out great (does the filtering, not with a pac file or the like, but actual software you install on the client). unfortunately, Google/Postini has a minimum order that makes getting into it pretty high (around 2 grand), hence the reservation (at the end of my question I had this "in use without spending a lot (several thousand) of money. "

in my case, i am looking seriously into moving my spam/virus filtering to postini to offset the costs of my current solution, so it will probably be doable, just a pain.

anyway, thanks for the help jhyiesla, i appreciate

btw, google called me back finally about 5 minutes after i asked for that phone number, of course ;)
Avatar of Clayton Pruett
Clayton Pruett
Flag of United States of America image

ASKER

The B is because of the high cost.