I have been tinkering with and googalizing this issue for several days now and i have drawn a blank with how to solve it.
I am currently overseas for work where i have been placed in an admin role for a network supporting approx. 250 users. The idea is to have users connect to the network either via WAP's (in the common areas) or Ethernet (in the accommodation rooms). The current set up is as follows...
modem (Unknown and dont have access to it)
Server (W2k3, RRAS, Squid Proxy, DHCP, DNS WWW)
Switches (Cisco 3750's)
Users and WAP's
(Users are not on a domain)
The users receive ip info from the local dhcp server and dns provides local name resolution whilst forwarding all other requests to OpenDNS for web content filtering. The proxy server works flawlessly provided the users have the proxy settings added.
As long as the users have the proxy settings set properly, they are directed through the proxy server (port 3128) and everything is all well and good, but when a user removes the settings, they are still allowed access to the internet and bypass the proxy server. This, i think is because the users without the settings can still access the server on the internal interface and then the server then routes them out the external interface regardless of if the request came from the proxy port or not.
I can restrict this by dropping all packets with a destination port address of 80 and 443 and any other port i need to deny direct access to the internet on the internal interface so the only way into the server is through port 3128 but this then blocks the users from accessing the web pages on the server.
I would like to know what the best configuration (i assume this will be on the external interface) would be to only allow traffic on port 3128 and specific ports that i can define later on whilst allowing access to the web server from the local network.
I know that implementing a hardware firewall between the modem and the server would be my best option but unfortunately, i am limited to the equipment that i have already and have no budget for any upgrades.
If anyone could advise on a possible solution, please let me know.