Greetings,
The goal is to manage a LAN of 50-100 users dynamically controlling
with access list the sites each user can see, and the ones they cant.
I also need a simple way of controlling their internet route so that
they can be changed to use different IPs from different peer proxies
around the world (which i already have). All of this done 100%
transparent to the user, all config must be able to be dynamically
changed via the server level. Current services used by the users are:
Port 80, Port 443, and port 21 and a messenger XML port.
Dilemmas:
a.) Squid cannot proxy/forward SSL in tranparent mode. So what are my
options? Forward port 80 through a different protocol perhaps a VPN
just for port 443 so that the particular user originates his/her
requests from the IP i want it to be. Not to mention that not all
users would be using the same src IP for port 443 so that at least I
would have to manage 4-5 different tunnels the way I see it?
b.) Squid cannot use the FTP protocol to upload files. Thus I would
need to install on all the remote routes another true FTP compliant
proxy.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Why I need this to be 100% transparent:
No user should ever be allowed to surf the internet with their local
IP all communication should be proxied to a specific route so no
bypassing allowed thus the need for a FORCED transparent proxy.
My users have a number of different browsers installed ranging from
opera, firefox, IE... besides they have applications that manage
updates that would also need to have the proxy configured such as
AntiVirus software, Anti Spyware. There are ways to automatically
config brwosers but what about ftp clients, virus and adware software?
We have sites that my users need not be proxied/vpned out because they
are in the same location. So aside from configuring each proxy in the
browsers stuff like a LAN CRM woudl have to be configured as
exceptions.
Not all users will use the same proxy, there would be at least 5
possible routes so internal routing must be done.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So, all of this is resumed into two proxy software combined with
tunnels/vpns. Even if this is done like I suggest I think network
diagnostics/maintenance would be *very* time consuming.. Would you
guys agree?
Is there any commercial solution/open source solution that can do what
I want in a combo way? Btw due to the nature of SSL i dont expect to
have allow lists or deny lists but it should in a way proxy it so that
i can set custom src IPs per user.
--Andres
Received on Sat Oct 24 2009 - 09:14:40 MDT
This archive was generated by hypermail 2.2.0 : Mon Oct 26 2009 - 12:00:02 MDT