Forcing HTTP requests to Proxy

azzeretti

Anyone know how to do this? I have a proxy server on a site. The trouble is the site is split into many seperate businesses, and I can't control all the PC's. I need a utility that will sit on a specified default gateway and force all HTTP/HTTPS traffic through a proxy, basically I need a transparent proxy but the Proxy I am using doesn't function as one. If I can catch port 80/443 at the gateway box I can then send it upstream to the proxy without anyone knowing.
Any help would be great.

BTW, this is a MS based system, I know Squid, SafeSquid etc would be great, they are non runners!

irlrobins

Moving to net/comms forum.

Foxwood

azzeretti wrote:

BTW, this is a MS based system, I know Squid, SafeSquid etc would be great, they are non runners!

You can run Squid on Windows.

http://squid.acmeconsulting.it/

azzeretti

Foxwood wrote:

You can run Squid on Windows.

http://squid.acmeconsulting.it/

I can't. Like I said, they are non runners - for various reasons.

rogue-entity

First I must add my obligitory why-are-you-using-windows-server-software remark. Second, I dont honestly know if what you want to do can be easily done with the software that comes with Windows Server, but here goes:

Lets say you have 10 clients, a proxy server and a gateway server computer. Set the gateway to only forward packets going to port 80 if its client IP is that of your proxy server (only allow the proxy to talk to external websites). Set the gateway to forward all connections to port 80 on the outside to your-proxy-ip:your-proxy-port e.g. 10.10.10.10:8080 (transparently forward website requests to the proxy instead).
Allow direct connections to the proxy server from all your clients.

Traffic to websites should then flow as follows:
Client > Gateway > Proxy Server > Gateway > Internet.

If you have multiple gateways just have them all forward to your proxy, or setup more then one proxy for each site depending on your resources. I cant provide any more detailed information as I dont know exactly what server software programmes you are using, what operating systems on your gateway and proxy what versions etc. Why exactly cant you just get a dedicated Linux Gateway/Router/Proxy/Content filter, its FREE as in you pay €0 for the software. And it would be easier then wasting money on Windows licences and using two seperate servers etc.

Foxwood

azzeretti wrote:

I can't. Like I said, they are non runners - for various reasons.

Actually, you implied that it was a non runner because "this is a MS based system".

You haven't said what the "specified default gateway" is - if you want a utility that will "sit on aspecified default gateway", it would be helpful to know what the gateway is.

If the gateway is a Windows Small Business Server, then you can run Squid on it. If you can't run Squid for political reasons, rather than technical, then what sort of utility are you allowed to run?

azzeretti

rogue-entity wrote:

Traffic to websites should then flow as follows:
Client > Gateway > Proxy Server > Gateway > Internet.

Yeah,. I had tried this but the trouble is that it just loops.
E.g HostA sends a HTTP requset to www.boards.ie. Its first hop is its default gateway, GWA, which will redirect this request to ProxyA on port 8080. ProxyA accepts the connection and passes this to its default gateway on , GWA, on port 80, who accepts the connection and redirects it to ProxyA etc, etc, etc. The request never leaves the LAN!!

EDIT: Mind you , now that I think about it, I could create a rule based on the hosts (ProxyA) source address and run this to the WAN link, instead of redirecting back to the ProxyA, umm, will check this out.

The trouble is I only have one route to the WAN link and I can't change on hosts network settings as I don't control them.

I know this will turn out to be really easy but I've thought about it way too much now that I can't think, if you know what I mean.

I could go for a Linux based config but I need to hand this over to a "sys admin" (used lightly) who insists on a nice friendly GUI - no conf file editing here.

gordonnet

how about using microsoft ISA Server http://www.microsoft.com/isaserver/default.mspx

it should do what you need

bushy...

You nearly there , you just need a rule in the gateway to stop proxy loops,let stuff from the proxy out before it hits the " send everything to the proxy " rule . watch you don't create an open proxy by accident

rogue-entity

^ is right, your gateway rules seem to be the wrong way around.

1. Send traffic from PROXY to INTERNET
2. Send traffic to INTERNET for port 80 to PROXY.

The idea is that the proxy requests to the internet are left alone, but any attempt to access port 80 is forced through the proxy. If your gateway is more sofisticated it can probably be set to force HTTP traffic to the proxy instead of just doing it by port, but it depends on what you guys are using. You never said.

Linux can be setup with a GUI that will make configuring the firewall rather easy as well as handling redirects. And Linux will let you use DansGuardian (internet content filter) which is superior to most all competing technologies like WebSense and Bess/SecureComputing/N2H2.