July 7, 2011

Firewall HTTP Proxy in non-transparent mode


You can let the browsers get the proxy configuration automatically. Only precondition is, that you roll out the browsers with "Auto-detect proxy settings" enabled, which is default for both Firefox and Internet Explorer.

If you use the DHCP server or DNS proxy (or both) of Endian Firewall, there is no more to do. Otherwise you have two possibilities to make your clients find the proxy configuration on Endian Firewall:
1. Add a hostname to your local DNS called "wpad" and make it point to the Endian Firewall. You then should be able to reach Endian Firewall by accessing http://wpad/, otherwise it will not work.
2. Add a custom option to your DHCP server in order to make it push the wpad url with the other DHCP information.
Example for ISC DHCP server:

Global option:

option wpad code 252 = text;

Option for each subnet configuration:

option wpad "http://YOUR_EFW_IP_ADDRESS/proxy.pac";

Replace YOUR_EFW_IP_ADDRESS with the zones respective IP address of your Endian Firewall.
Note: If you like to force your users to use the proxy, you need to block HTTP ports within the outgoing Proxy. Otherwise a user may disable the Proxy within his/her browser and simply go directly without being blocked.

No comments:

Post a Comment