Dominic,
This is probably best done on another machine rather than on the pfsense box
itself. Squid with NTLM and AD integration (through samba/winbind) can be quite
demanding on system resources so I would recommend keeping this off your
firewall. In any case I don't believe the functionality for this is built into
the pfsense squid package (Some people have expressed their interest in it
though).
While squid is good for blocking known bad sites etc it is really quite limited
in how it can control access. For this reason I would recommend looking in to
using something such as DansGuardian. DG uses numerous rules to identify
offending content and can do a lot, it also now has built in NTLM
authentication support so you can control access based on the user without
having to 're-authenticate' the user.
I have been been running a proxy built with DansGuardian (Content Filter),
Squid (Caching proxy and NTLM authentication proxy), ClamAV (Virus Scanning)
and Samba (Winbind for domain auth) for a long time now with very few issues on
a medium sized domain (Note: You can do away with using squid as the NTLM auth
proxy as DG has NTLM support built in now).
This setup does for us what we were paying in excess of $7,000 per year for a
dedicated appliance to do.
Go to dansguardian.org for more info.
Regards,
Daniel Davis
-Original Message-
From: Dominic [mailto:dominic@gmail.com]
Sent: Wednesday, 21 July 2010 10:43 PM
To: support@pfsense.com
Subject: [pfSense Support] pfSense 1.2.3 - Squid authentication
Hi,
I have been using pfSense for a while and its been great, but now the
need has come in to enforce stricter
user access through the squid proxy.
Is there a way I can do authentication through a Windows 2003 Domain
Controller and be able to block certain
users from using the proxy based on their login and possibly also deny
certain sites for certain users? For example
allow all managers to access Facebook but deny all users ? (Yes I know
its a cruel world).
I know I can block by IP but this doesn't help as many users work
through Citrix, I need to be able to deny by username.
Please advise.
Thank you in advance.
Dominic.
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org