Dominic, This is probably best done on another machine rather than on the pfsense box itself. Squid with NTLM and AD integration (through samba/winbind) can be quite demanding on system resources so I would recommend keeping this off your firewall. In any case I don't believe the functionality for this is built into the pfsense squid package (Some people have expressed their interest in it though).
While squid is good for blocking known bad sites etc it is really quite limited in how it can control access. For this reason I would recommend looking in to using something such as DansGuardian. DG uses numerous rules to identify offending content and can do a lot, it also now has built in NTLM authentication support so you can control access based on the user without having to 're-authenticate' the user. I have been been running a proxy built with DansGuardian (Content Filter), Squid (Caching proxy and NTLM authentication proxy), ClamAV (Virus Scanning) and Samba (Winbind for domain auth) for a long time now with very few issues on a medium sized domain (Note: You can do away with using squid as the NTLM auth proxy as DG has NTLM support built in now). This setup does for us what we were paying in excess of $7,000 per year for a dedicated appliance to do. Go to dansguardian.org for more info. Regards, Daniel Davis -----Original Message----- From: Dominic [mailto:dominic....@gmail.com] Sent: Wednesday, 21 July 2010 10:43 PM To: support@pfsense.com Subject: [pfSense Support] pfSense 1.2.3 - Squid authentication Hi, I have been using pfSense for a while and its been great, but now the need has come in to enforce stricter user access through the squid proxy. Is there a way I can do authentication through a Windows 2003 Domain Controller and be able to block certain users from using the proxy based on their login and possibly also deny certain sites for certain users? For example allow all managers to access Facebook but deny all users ? (Yes I know its a cruel world). I know I can block by IP but this doesn't help as many users work through Citrix, I need to be able to deny by username. Please advise. Thank you in advance. Dominic. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
