Squid and browser settings problem

Dear IT gurus,

I have set up a proxy that will authenticate users through NTLM when browser's configuration is set up with its ip address and port but it will not do it in transparent mode. I know this is not an Squid problem but transparent proxies' characteristic.

Since in the company we have several notebooks users I can't set browser's proxy settings through GPO because they won't be able to browse when they are not at the company and if I create 2 OUs (one for desktop and one for notebook users) the notebook user's username won't be logged in the access.log.

I need all the computers to access the proxy and authenticate but without changing browsers settings.
I might use a PAC (proxy auto configuration) file if it can be set up from a GPO.

Thanks in advance,

Pancho
##### squid.conf file ####

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

pid_filename /var/run/squid.pid

log_fqdn on

hosts_file /etc/hosts

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 2

auth_param ntlm program /usr/lib/squid/ntlm_auth -d unitanba.corp/ba-dc1
auth_param ntlm children 5
auth_param basic program /usr/lib/squid/ntlm_auth -d unitanba.corp/ba-dc1
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours 

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl lan src 131.107.2.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl ntlm_users proxy_auth REQUIRED
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ntlm_users
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all

icp_access allow all
cache_effective_group proxy
visible_hostname Penelope
logfile_rotate 0
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#tcp_outgoing_tos 0x4


#### firewall conf file ####

#Flush de Reglas
iptables -t filter -F
iptables -t nat -F

#Politicas por defecto
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#eth0 Internet 200.69.219.59
#eth1 192.168.11.2
#eth2 131.107.2.95
#rutas

route add -net 192.168.13.0/24 gw 192.168.11.1
route add -net 192.168.3.0/24 gw 192.168.11.1
route add -net 192.168.12.0/24 gw 192.168.11.1
route add -net 192.168.2.0/24 gw 192.168.11.1
route add -net 192.168.10.0/24 gw 192.168.11.1
route add -net 192.168.0.0/24 gw 192.168.11.1
route add -net 192.168.21.0/24 gw 192.168.11.1

iptables -t filter -A INPUT -s 131.107.2.0/24 -p tcp --dport 22 -j ACCEPT

#PERMITO CONEXIONES ESTABLECIDAS O RELATIVAS
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


#PERMITO CONEXIONES NUEVAS DESDE LA RED LOCAL
iptables -t filter -A INPUT -m state --state NEW -s 131.107.2.0/24 -j ACCEPT
iptables -t filter -A FORWARD -m state --state NEW -s 131.107.2.0/24 -j ACCEPT
iptables -t filter -A FORWARD -m state --state NEW -i eth1 -j ACCEPT

#Habilito el Forward
echo 1 > /proc/sys/net/ipv4/ip_forward

#Enmascaro la conexion saliente de la red interna
iptables -t nat -A POSTROUTING -o eth0 -s 131.107.2.0/24 -j MASQUERADE

#FTP

#iptables -t filter -A FORWARD -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT  -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --dport 20:21 -j ACCEPT

#Mapeo de puertos para el servidor de mail y ftp
#SSH
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 63000 -j DNAT --to 131.107.2.7:63000
iptables -A FORWARD -p tcp --dport 63000 -j ACCEPT
#SMTP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 131.107.2.7:25
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
#IMAP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 143 -j DNAT --to 131.107.2.7:143
iptables -A FORWARD -p tcp --dport 143 -j ACCEPT 
#POP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j DNAT --to 131.107.2.7:110
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
#Webmail
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 131.107.2.7:80
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#FTP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -j DNAT --to 131.107.2.3:20
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21  -j DNAT --to 131.107.2.3:21

#eMule
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20278 -j DNAT --to 131.107.2.250:20278
iptables -A FORWARD -p tcp --dport 20278 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 11279 -j DNAT --to 131.107.2.250:11279
iptables -A FORWARD -p udp --dport 11279 -j ACCEPT

#uVnc
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4900 -j DNAT --to 131.107.2.250:4900
iptables -A FORWARD -p tcp --dport 4900 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4800 -j DNAT --to 131.107.2.250:4800
iptables -A FORWARD -p tcp --dport 4800 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5800 -j ACCEPT

#Webmin
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT

#NTP
iptables -A INPUT -p tcp -s 0/0 --dport 123 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --dport 123 -j ACCEPT

#Escritorio remoto
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 131.107.2.3:3389
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT

#PROXY
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 131.107.2.95:3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 131.107.2.95:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A OUTPUT -m tos \! --tos 0x4  -p tcp --dport 80 -j REDIRECT --to-port 3128

Open in new window

LVL 8
PanchuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SSupremeCommented:
To add new user and password type: htpasswd /etc/squid/squid_passwd *user*


auth_param basic casesensitive off
auth_param basic children 10
auth_param basic credentialsttl 1 hours
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
acl groupA proxy_auth *user*
http_access allow groupA
 

Open in new window

0
sukamtoCommented:
Are your clients using static ip or dynamic ip?
You can setup WPAD (Proxy Auto-Detection) with DHCP server and WPAD.

This is a good howto link
http://www.howtoforge.com/squid-proxy-server-on-ubuntu-9.04-server-with-dansguardian-clamav-and-wpad-proxy-auto-detection
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PanchuxAuthor Commented:
SSupreme and sukamto, I just need to deploy a PAC file using GPO. Other methods/ideas are welcome.
BTW we are using dynamic ips but I can add a reservation by mac address although I'm not willing to do so.

Pancho
0
PanchuxAuthor Commented:
The link above was part of the solution.

Thanks,

Pancho
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.