1

I keep seeing references to something called Squid, but I take it that's only for Linux. Rather than needlessly pay $1,000+ bucks for a content filtering subscription on our firewall, I'm seeking an alternate method (and if it's free, all the better!). Any ideas?

Bigbio2002
  • 2,823
  • 12
  • 35
  • 54

3 Answers3

2

OpenDNS Enterprise is one solution you might consider.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
2

I'm a little embarrassed to admit that I've done this before, but the "cheapest" way I've found to do this (assuming the user can't install or otherwise use third-party web browser software) is to use Group Policy to configure Internet Explorer to use a bogus HTTP / HTTPS proxy server (i.e. an IP / port that doesn't answer-- preferably one that actually rejects the TCP connection attempt). I put "permitted" web sites into the proxy bypass list.

It's a very "cheap" way to do what you're looking for and utterly easy to bypass if the user can install or use third-party browser software.

One "righter" way to do this would be to force outbound HTTP / HTTPS through a proxy server that allows for per-user ACLs. Squid with NTLM authentication can do this with no software licensing cost and can provide a fairly nice transparent authentication experience for domain-joined Windows machines accessing web sites through it. You can run Squid on Windows if you're adverse to running it on Linux. Squid on Windows with Active Directory-based authentication is fairly easy to setup.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Does this 'bogus' proxy method work for browsers other than Chrome? –  Dec 22 '16 at 11:28
0

How many computers? If a small number, use Windows DHCP Server to reserve their IPs from a range that has firewall rules allowing port 80/443 access only to the whitelist.

Paul
  • 779
  • 1
  • 9
  • 18