On Fri, 3 Sep 2004, Rick G. Kilgore wrote:
The second networks, routers and layer three switchs are controled by a higher state network group, much like an ISP with no single point of ingress or egress. The deparment that I am trying to help would like to use squid to finally lock down Internet access due to virus/malware/spyware and just junk slowing machines down.
The network is spread across several subnets, buildings ect. The network does use DHCP. Can I use squid as a gateway so to speak. I.E. change the DHCP for the affected subnets to point to an interface on the squid server and allow all traffic through it with the ability to block and filter Internet access. Or is this just a plain bad idea. The section I am working with really does not want to install a large number of squid servers to try and resolve the problem.
The best solution is to talk to the "ISP" to make sure direct access to the WWW is blocked for all stations except the proxy, then set up DHCP and preferably also the DNS to return WPAD configuration data giving the users automatic discovery of the proxy service or go around to the stations and configure proxy settings manually.
As long as the Network infrastructure supports direct unlimited access to the Internet users who like to will find out how to use this, even if you try to hint them not to via DHCP and similar. Also if the network is spread out this is not really an option as you then need to have some precense in each and every LAN / DHCP scope where to have the traffic redirected, and these will also become a bottleneck for the whole network not just Internet traffic.
Regards Henrik
