2

Firefox browser contains network settings under Tools-->Options-->Advanced-->Network-->Settings and there is an option to do auto detect proxy settings, how should I enable this? Currently this is manually configured and its possible for users to bypass and use the internet directly. We use a variety of browsers (firefox, IE, chrome, safari, opera) on win xp, win 2003, win vista machines. How should I enable this so that the end user cannot manipulate the settings on his browser to by pass security.

I have configured a squid cache proxy server for this purpose.

user42891
  • 241
  • 1
  • 3
  • 10

4 Answers4

1

For Internet Explorer, you can enforce your proxy settings using Group Policy Objects if you have an Active Directory domain; but I don't know of any way to centrally manage other browsers.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • am interested in a solution which can be consistently enforced across all browsers. it's very common to use multiple browsers in a dev environment – user42891 May 24 '10 at 17:34
  • Of course, but you can't manage them centrally if they don't have any central management feature... – Massimo May 24 '10 at 17:37
1

To setup the proxy automatically use the WPAD, the link includes links to pages about how to setup the WPAD. Most browser will use this to decide which proxy to use.

Even if you setup WPAD, and group policies to control IE you still cannot completely force a proxy setting onto all browsers. A user could easily use a PortableApps browser or a livecd which you will have no control over. If you really need to lock things down you will probably need to block all http/https traffic from leaving your network from any system other then the proxy.

If your users are really sophisticated you may need to block all outgoing traffic except what you explicitly permit. Even this will not be a 100% effective block. There are far too many people working on ways to make sure the internet is not censored.

It may be easier to simply use WPAD and group policies to set a proxy wherever possible, do some basic firewalling to block the obvious proxy traffic, and just monitor for anything else and deal with it at layer 8.

I do suggest that if you try and filter internet access to do your best to filter the least amount possible. Trying to solve personnel with technology problems tends to cause as many layer 8 problems as it fixes.

Community
  • 1
Zoredache
  • 130,897
  • 41
  • 276
  • 420
0

This is where products like Microsoft's ISA server / forefront TMA can work well. Not only can it act as the proxy, but it can also handle being your IP gateway from the LAN to the web, so you can be sure that no traffic passes through it un-inspected...

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
0

As of Firefox Quantum 63, it already detects wpad (dhcp 252) automatically without having to manually set it. And into the .pac file redirects requests to squid

source: Autodetect proxy in Firefox

acgbox
  • 376
  • 1
  • 5
  • 21