Solved

Proxy and RRAS configuration with Squid and W2k3

Posted on 2012-04-04
5
919 Views
Last Modified: 2012-04-13
Hi Experts,

I have been tinkering with and googalizing this issue for several days now and i have drawn a blank with how to solve it.

I am currently overseas for work where i have been placed in an admin role for a network supporting approx. 250 users. The idea is to have users connect to the network either via WAP's (in the common areas) or Ethernet (in the accommodation rooms). The current set up is as follows...

ISP (newsat)
|
modem (Unknown and dont have access to it)
|
Server (W2k3, RRAS, Squid Proxy, DHCP, DNS WWW)
|
Switches (Cisco 3750's)
|
Users and WAP's

(Users are not on a domain)

The users receive ip info from the local dhcp server and dns provides local name resolution whilst forwarding all other requests to OpenDNS for web content filtering. The proxy server works flawlessly provided the users have the proxy settings added.

As long as the users have the proxy settings set properly, they are directed through the proxy server (port 3128) and everything is all well and good, but when a user removes the settings, they are still allowed access to the internet and bypass the proxy server. This, i think is because the users without the settings can still access the server on the internal interface and then the server then routes them out the external interface regardless of if the request came from the proxy port or not.

I can restrict this by dropping all packets with a destination port address of 80 and 443 and any other port i need to deny direct access to the internet on the internal interface so the only way into the server is through port 3128 but this then blocks the users from accessing the web pages on the server.

I would like to know what the best configuration (i assume this will be on the external interface) would be to only allow traffic on port 3128 and specific ports that i can define later on whilst allowing access to the web server from the local network.

I know that implementing a hardware firewall between the modem and the server would be my best option but unfortunately, i am limited to the equipment that i have already and have no budget for any upgrades.

If anyone could advise on a possible solution, please let me know.

-Anthony
0
Comment
Question by:ajbarron
  • 2
5 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 37832835
I can restrict this by dropping all packets with a destination port address of 80 and 443 and any other port i need to deny direct access to the internet on the internal interface so the only way into the server is through port 3128 but this then blocks the users from accessing the web pages on the server.

That is pretty much the only option I see.  Your situation is limited on what tools you have available to you.  You can use a second ACL to allow access to the Web Pages on the Server that over-rides to broader deny rule.  If you can't do that then you are just plain screwed by your situation,...requiring you to change the situation,...or "live with it".

The "everything on one box" is a horrible situation  to be in.  The only bright spot there is that there is no domain,...hence you are not piling all that on a Domain Controller which is really bad.
0
 
LVL 1

Author Comment

by:ajbarron
ID: 37837780
Thank you for the reply,

I understand that i am in a sticky situation with this. I have pushed for a dedicated firewall but keep on getting knocked back. Would it be worth installing a software firewall on the server or would i only be achieving the same thing just with a different piece of software?

Regards,

-Anthony
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37839578
Personally,..I wouldn't.  There's "too much" installed on that thing now.  Besides that, a proxy IS a firewall.    People think they are two different things,...but they are not.  NAT and proxying are just two different technologies you can based a Firewall on.  Some Firewalls combine both in the same product (like MS's ISA and TMG products).  Proxys actually give more solid security because they operate from Layer3 all the way up to Layer7, where NAT only operates at Layers 3 & 4.  The scope of a proxy's reach depends on what type a proxy it is (HTTP Proxy, Winsock Proxy, Socks Proxy, etc)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now