On 2016-10-29 20:40, paul.greene...@verizon.net wrote:
I've inherited a squid proxy at work; I'm new to squid, so this is
still on the learning curve. Unfortunately no one else in the office
is very good with squid either, so I'm attempting to be the resident
guru.
Our network is all in private IP address space. A MS WSUS server and a
Symantec Endpoint Protection Manager server need to get through the
squid proxy to get out to MS and Symantec respectively for their
updates. Some other servers are coming online in the near future that
will also need to get out to their respective vendors to get updates,
including a Redhat Satellite server.
For these WSUS and SEPM servers, they have to go through the proxy I'm
working with, through a Cisco firewall, upstream to a McAfee web
gateway, and through another gateway after that. After traffic gets
past that Cisco firewall, a different networking group is responsible
for any upstream configuration
None of our other servers, except these specialty servers that need to
get out to their respective vendors for updates, have direct access to
the internet.
Our firewall guy says what he's seeing in his logs is that traffic
destined for port 443, after it goes through the proxy, is trying to
go straight to the vendor over the internet, rather than go through
the upstream McAfee gateway as required, and thus, the traffic is
getting dropped by the Cisco firewall. I did a packet capture test
with the McAfee gateway guy, and he confirmed that no traffic coming
from either either the WSUS or the SEPM is reaching his gateway.
I thought this line in the squid.conf file should send traffic from
our proxy to the upstream McAfee gateway, but maybe I'm
misunderstanding the intent of the cache_peer parent parameter.
cache_peer <McAfee Gateway IP address> parent 8080 3130
proxy-only no-query no-netdb-exchange default login=username:password
(if placement of this cache_peer parameter matters, its currently near
the end of the squid.conf file)
As a test, I configured internet explorer on the WSUS server to use
the proxy for internet access, Without configuring for the proxy, IE
can't go anywhere except the local network. IE can hit http websites
(i.e. www.cnn.com) when it's configured to use the proxy, but not
https websites.
The Safe_ports and SSL_ports list is the same as the squid.conf
defaults.
This is squid 3.3 running on Redhat 7.
Any suggestions or pointers?
PG
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Please, use plain text (not HTML) for messages next time, as it hurts
people reading messages on web archive [1]. Also, IMO, it increases the
chances a message would be answered. Thanks.
[1]
http://lists.squid-cache.org/pipermail/squid-users/2016-October/013308.html
Garri
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
