Nick Duda wrote:
I've successfully built and deployed a Transparent squid solution, failover using WCCP, with the ability to perform NTLM authentication for the employees transparently (not using PROXYAUTH, using SmartFilters Authentication processes). We can now have an office that can lose one or both transparent proxy servers and still browse to the internet as "if all else fails" using WCCP, maintaining NTLM authentication for ACL's and logging and perform content filtering.Couple questions, has anyone else done a setup like this? I'm curious to deploy this (slated for next week, to an office of 500). We have fully tested the solution, but we are moving away from using the normal squid NTLM helpers (no more winbind/samba needed) and curious to what others have seen using smartfilters ntlm processes under heavy load. One of our offices using winbind , squid ntlm helper shows about 30-40ntlm requests (which I noticed is per web request...lots of domain controller talking). Also, using WCCP is it possible to have squid (with basic routing on the linux box) send the return reply from the internet out another interface? Client ----- Switch ----- Router w/WCCP ----- ASA ----- Internet | |------------squid (I hope that ascii drawing above comes out ok lol). Client makes request to google.com. Request hits the router, setup with WCCP and sends it to the squid proxy, which hangs off its own VLAN from the router. The request goes through the proxy then back up to the router and out to the internet. The request from the internet google.com comes back to the router, down to the proxy......I'd like that to now go back to the client on the interface on the proxy that is connected to the switch. Is the client going to want to see the reply coming back through the router to them? - Nick
I run a very similar setup here for my wifi clients. Not using NTLM, but other out-of-band authentications during intercepted requests.
For HTTP the client won't care where the response comes from. Thats why transparency works. Other protocols like HTTPS and non-extended FTP fail though.
Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE5
