Welcome. Get your technical questions answered and offer your help too!!!

Use EcoCash to buy NetOne & Telecel airtime online. Tap here
advertisement
advertisement
8.7k views
in Software by Expert (19.6k points)
retagged by
i'm looking into setting up a proxy server on a Windows 2008 R2 Server , where the client machines do not need any extra configurations to access the internet, I also need to be able to allow/block clients by IP address, filter content by file type and website. Cam anyone please suggest  a suitable solution to the scenerio?

Use EcoCash to buy NetOne & Telecel airtime online. Tap here
advertisement

3 Answers

+2 votes
by Guru (88.1k points)
edited by
Let me sale you some stuff my friend(although l dont get commission or pat on the from Cisco or Frogate)

Since you are saying buying equipment is not problem and have a cisco router already, how about buying a integrated appliance solution which does all that  from a single web browser. Its called Cisco Web Security Appliance

http://www.cisco.com/en/US/products/ps10164/index.html  

lf you ask a guy called Ben at Frogate in Avondale, he should be able to sort you out as they are major reseller of Cisco gear.
by Expert (19.6k points)
will send a proposal to my superiors, n contact you if approved
+1 vote
by Guru (88.1k points)
edited by
Im not getting a clear picture of your request.

Do you hav a router in your setup?

Is your win server acting as a default gateway?

Do you have a firewall in your network?

Bt based on the infor you gave, l guess your Win Server will be acting as a server, firewall, and default gateway(router).

If thats what you are having in mind trying not to splash more cash  on hardware, that route will eventually cost you more both in time spent maintaining the server and being forced to buy relevant hardware at a unplanned time.

Servers are meant to server, you can filter what it saves to clients bt asking it to do a job meant for firewalls is too much. Besides, it becomes an open target, depending on the sensitivity of files it caries. It might end up saving viruses into your network and become a nest for all evil deeds.

My advice is to have a dedicated firewall where you are going to create all the filtering rules. Then all your clients can have the address of the firewall as default gateway where rules are gona applied depending with client.

If your server is serving both public as well, l would suggest you create a dmz. This will allow outside clients to access the server, bt get blocked when they try to go into your network. For this, you will need either a second firewall or a router where you can put access list.

Also make sure your server does not initiate any connection request to your internal network as this can be used by hackers to evade firewalls and use the server as a stepping stone to attack your private network.

If you can not afford a firewall but you have old PCs not in use, you can convert them into a firewall by install a free linux firewall OS, here is a link to choose from;

http://en.m.wikipedia.org/wiki/List_of_router_or_firewall_distributions
+1 vote
by Guru (57.6k points)
I second Macdonald's advice, get a dedicated device - you dont have to spend huge amounts in many cases, but to get some/all of the features you desire you do need something thats not usually available in standard consumer gear

i personally use a Mini-ITX atom based motherboard with 4gb ram (2gb is more than enough though) and run PFsense which is a purpose built firewall/routing OS based on FreeBSD (so its free) which can run a proxy server (and in transparent mode as well) it effectively becomes the router for the network so such a device needs at least 2 network cards - one for your "LAN" and one for your "WAN"

The HP miniservers i see floating about on classifieds with an extra PCI-E network card or 2 will do the job also very easily and quietly too

Other alternative software to PFsense, includes but not limited to, IPCop, Zentyal (based on Ubuntu). All are basically Linux distributions specifically configured or developed to serve the purpose of routing/firewall needs

I Never recommend doing routing/firewalling/proxying with Windows Server EXCEPT when you have a large Active Directory deployment where the whole Single Sign On and integration tends to outweigh all the security and management overheads of running high risk internet services on windows

as Macdonald also mentioned - theres not a lot of info to go on with your current setup - specifically in terms of routers/access points etc
by Expert (19.6k points)
Sorry guys, i did not provide sufficient details. here is my scenario:
I'm in an enterprise environment, hardware is not a problem,..i already have a virtual machine running 2008 , I have a Cisco router with two WAN interfaces, connecting to two external networks
1: ISP
2:Head Office Branch.
My Default Gateway of  points to the Head office network,  and i have an old Linux proxy pointing to the ISP.

I have 200+ computers with multiple users, which means that i have to configure the proxy settings every time a new user logs in, that's y i need a transparent proxy, preferably a windows environment.
by Guru (57.6k points)
edited by
OK you cant do transparent proxy without the box sitting directly in-line with (in between) the WAN router and your LAN and physically seperating the 2 sides of the network hence my suggestion, its possible to do that with a VM if you set your network up right but its prone to failures (particularly user errors)

well you can do it without it being inline but you have 3 issues:
1) the proxy has to become the gateway for your lan devices which itself uses your router for its gateway and internet connections - can your dhcp service do this (ie set a custom gateway thats not itself)?
2) any routes that shouldn't go through the proxy have to be statically setup on the proxy server (i'm not sure how easy this is on Win Server) as well as being bypassed from the proxy server
3) users with anything more than a little tech savvy can easily bypass your proxy in a non inline setup without careful access rules on your router/firewall (which again are prone to user error mistakes or just not being done)

From your comments it sounds like you do need a Unified Threat Management system which includes this, in my recommendation above you would get a box to run PFsense or Zentyal (zentyal is easier to get setup but pfsense tends to be much more powerful particularly with firewall rules)
this is setup behind your cisco router (or replaces it if possible), which gets configured to send all traffic to your new box, your new box now connects to the lan and offers DHCP and DNS to the network (instead of your router assuming it did this) this new box runs squid in transparent mode, with any relevant bypasses enabled, this box also acts as the firewall to your LAN network protecting it from attacks

I think Microsoft ISA server can do this (now integrated with Win Server) and if your familiar with it then it probably will work but it should still sit inline between router and LAN.

that said with an environment of 200 computers your probably should have Active Directory setup and doing proxy config automatically via Group Policy and Single Sign On

btw you can also offer proxy config via DHCP as long as you dont require auth for the proxy but its not transparent mode (so could easily be bypassed again)
by Expert (19.6k points)
i've looked into ISA Server, which has now been upgraded to Microsoft Forefront Threat Management Gateway 2010, but it seems to be a lot of work or the time being, will look into it when i get time. For now i feel the last option you suggested is not that complex,...will look into it thanks.
Welcome to Techzim Answers,

You can ask questions and receive answers from the Zimbabwean internet community.

If you're not sure how to proceed from here just click here and ask
...