On Tue, Nov 10, 2009 at 5:30 PM, Matthew W. Ross
<[email protected]> wrote:
>> Squid, to be precise.
>
> Do you use Active Directory to authenticate your users?
Yup.
> Does the NTLM authentication on IE and Firefox work so your
> users don't even see it authenticate?
Yup. Once Squid is configured for NTLM, both MSIE and Firefox
transparently authenticate using the user's Windows login identity.
> Being a school, knowing who went where, when, from which
> computer is important.
Squid logs every URL requested, with time stamp, client machine IP
address, and authenticated user ID.
I've got a Perl script I use to make searching/viewing the logs easier.
Translating URLs into high-level "what did the user do?" isn't
always easy (with any proxy), but if you're just looking to see who
did what when, this works great.
> I've been using Squid/Dansguardian for a while. Works so-so, but
> we were using the transparent proxy, which can't pick up the user
> name automatically.
If you're already running Squid, it should be fairly easy to add
NTLM authentication. The following would be the basic commands for
the Squid config file:
# configure NTLM authentication, using winbind
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
# require authentication
acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
If you don't already have Samba configured as an Active Directory
member to support winbind authentication, I can tell you how to do
that, too. :)
> If you're using squid, is it your own gray box running a generic linux
> distribution?
We're running CentOS (Red Hat Enterprise Linux clone) on an old
Gateway "server". Linux runs on just about anything, from an old PC
to a modern Dell server. Squid is also available for Win32, if you
want to go that route.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
