Proxy and RRAS configuration with Squid and W2k3

Hi Experts,

I have been tinkering with and googalizing this issue for several days now and i have drawn a blank with how to solve it.

I am currently overseas for work where i have been placed in an admin role for a network supporting approx. 250 users. The idea is to have users connect to the network either via WAP's (in the common areas) or Ethernet (in the accommodation rooms). The current set up is as follows...

ISP (newsat)
|
modem (Unknown and dont have access to it)
|
Server (W2k3, RRAS, Squid Proxy, DHCP, DNS WWW)
|
Switches (Cisco 3750's)
|
Users and WAP's

(Users are not on a domain)

The users receive ip info from the local dhcp server and dns provides local name resolution whilst forwarding all other requests to OpenDNS for web content filtering. The proxy server works flawlessly provided the users have the proxy settings added.

As long as the users have the proxy settings set properly, they are directed through the proxy server (port 3128) and everything is all well and good, but when a user removes the settings, they are still allowed access to the internet and bypass the proxy server. This, i think is because the users without the settings can still access the server on the internal interface and then the server then routes them out the external interface regardless of if the request came from the proxy port or not.

I can restrict this by dropping all packets with a destination port address of 80 and 443 and any other port i need to deny direct access to the internet on the internal interface so the only way into the server is through port 3128 but this then blocks the users from accessing the web pages on the server.

I would like to know what the best configuration (i assume this will be on the external interface) would be to only allow traffic on port 3128 and specific ports that i can define later on whilst allowing access to the web server from the local network.

I know that implementing a hardware firewall between the modem and the server would be my best option but unfortunately, i am limited to the equipment that i have already and have no budget for any upgrades.

If anyone could advise on a possible solution, please let me know.

-Anthony
LVL 1
ajbarronAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
I can restrict this by dropping all packets with a destination port address of 80 and 443 and any other port i need to deny direct access to the internet on the internal interface so the only way into the server is through port 3128 but this then blocks the users from accessing the web pages on the server.

That is pretty much the only option I see.  Your situation is limited on what tools you have available to you.  You can use a second ACL to allow access to the Web Pages on the Server that over-rides to broader deny rule.  If you can't do that then you are just plain screwed by your situation,...requiring you to change the situation,...or "live with it".

The "everything on one box" is a horrible situation  to be in.  The only bright spot there is that there is no domain,...hence you are not piling all that on a Domain Controller which is really bad.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ajbarronAuthor Commented:
Thank you for the reply,

I understand that i am in a sticky situation with this. I have pushed for a dedicated firewall but keep on getting knocked back. Would it be worth installing a software firewall on the server or would i only be achieving the same thing just with a different piece of software?

Regards,

-Anthony
0
pwindellCommented:
Personally,..I wouldn't.  There's "too much" installed on that thing now.  Besides that, a proxy IS a firewall.    People think they are two different things,...but they are not.  NAT and proxying are just two different technologies you can based a Firewall on.  Some Firewalls combine both in the same product (like MS's ISA and TMG products).  Proxys actually give more solid security because they operate from Layer3 all the way up to Layer7, where NAT only operates at Layers 3 & 4.  The scope of a proxy's reach depends on what type a proxy it is (HTTP Proxy, Winsock Proxy, Socks Proxy, etc)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.