Kinkie wrote: >> It's no less secure than CONNECT tunneling, and from Squid's standpoint >> it may be more secure - fewer ports on which CONNECT is allowed.
> This is the only solution in this case I think, since Squid only > understands HTTP and not the various IM protocols. Yes - the only way to get IM to work through Squid is to explicitly configure the application to use a proxy (because it will then tunnel it's protocol over HTTP via the proxy). Transparent proxying will not work. > The only downside to it is that since DNS is never taken in the equation > (except maybe at the time the chains are built) it is slightly more > expensive to maintain than - say a CONNECT + dstdomain + port ACL. In a transparent proxy environment, the clients are already doing their own DNS lookups, so nothing changes here. However, transparent proxying itself is a bad idea. It's a violation of the HTTP standard, and can sometimes break unexpectedly in very strange ways (just look at all the reports of Hotmail issues over the last week). A more robust setup is to use proxy autoconfiguration scripts to pass proxy settings to the clients. This also makes it easy to load balance and allow automatic failover (using round-robin DNS). Adam
