It is my understanding that a transparent proxy is unable to identify users. This is not a limitation of Endian firewall, but a limitation of the transparent proxy method.
In order to identify users, you must set your users to use a non-transparent proxy. This method can allow the users to identify themselves as they make requests of the proxy. Endian is setup so that the users can be an internel list, an LDAP, or a Active Directory (which we use in our setup). To prevent users from getting around the use of the proxy (and thus enforcing that we identify our users), we block all outgoing traffic with the Endian firewall, especially ports 80 (http) and 443 (https). The difficulty then becomes setting up your users' browser so that they use the proxy server. Endian does some magic here as well: They have already setup on the firewall a proxy.pac and a wpad.dat file, which are used in proxy auto-configuration. See these wikipedia articles: http://en.wikipedia.org/wiki/Proxy_auto-config http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol For us, in a mixed environment, we have had mixed success with setting up the proxy server on user's browsers. On our Windows clients, we are able to setup a group policy which set's internet explorer's proxy settings for all our users automatically. For the Group Policy instructions, see here: http://support.microsoft.com/kb/274846 Firefox on Windows required a little more work to get working, since it has its' own proxy settings, and did not use the system's set proxy settings by default. I was able to make a login script which worked for us: :: setffproxytoauto.cmd :: Make sure the folder we want to edit exists. Otherwise, Exit cleanly here. if NOT exist "%programfiles%\Mozilla Firefox\defaults\pref\local-settings.js" goto :update exit :update :: Load the prefrence. echo pref("network.proxy.type", 4); > "%programfiles%\Mozilla Firefox\defaults\pref\local-settings.js" The good news is that in windows, when these settings are set, the in-browser support for NTLM kicks in and the users are identified by their Active Directory login, without having to provide any credentials when accessing the web. ----- On the Mac side, it's been a different story. Safari uses the proxy settings which are set in System Preferences. These settings can be set by a Open Directory, but if you don't have one you can push the settings using Apple Remote Desktop: networksetup -listallnetworkservices | grep -v '*' | grep -i 'ethernet' | while read service; do networksetup -setwebproxy "$service" <<INSERT PROXY IP>> 8080 done Firefox on the Mac has a script similar to the windows version which I push with ARD to set it's proxy: echo pref\(\"network.proxy.type\", 4\)\; > \ /Applications/Firefox.app/Contents/MacOS/defaults/pref/local-settings.js The problem with the Mac side of things is that the browsers do _not_ support NTLM, at least I haven't been able to make that work yet. Because of this, the users will be asked to authenticate when they try to access their first web page. What's worse, the browsers will ask multiple times for authentication in many situations: If your browser opens in many tabs and/or if your browser has RSS feeds in it's bookmarks bar. This multiple-authentication popup moves it from Annoyance to Frustration. I am working on solutions to this, hopefully by making NTLM on Mac work with Endian. Once your users are using the non-transparent proxy, you will have the option to allow or deny users based on your Access Policies. As a test, I have myself blocked from woot.com... and I can't get there, but my fellow workmates can. I hope this information is useful. If you find any other useful tidbits, please send them back this way! --Matt Ross Ephrata School District ----- Original Message ----- From: wijendra_s [mailto:wijen...@ecomlk.com] To: efw-user@lists.sourceforge.net Sent: Tue, 12 Jan 2010 22:30:52 -0800 Subject: [Efw-user] Stop access internet of some users from the transparent proxy server > > Hi All, > > I am using a Endian Firewall as a transparent proxy server. Everything is > working an order. Now I want to stop access internet of some users from the > transparent proxy server. Please tell me, how to do ? > > Regards, > > Wijendra. > > > > -- > View this message in context: > http://old.nabble.com/Stop-access-internet-of-some-users-from-the-transparent-proxy-server-tp27139615p27139615.html > Sent from the efw-user mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Efw-user mailing list > Efw-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/efw-user > ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Efw-user mailing list Efw-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/efw-user
