0

The end goal of what I'm trying to achieve is: Block access to certain websites and view bandwidth used by IP Address. Without changing my employee's gateway address.

--

Our internet connection is currently served by a Cisco router. The Cisco router also hands out the DHCP addresses. I do not have administrative rights to this Cisco router. I cannot change anything on it.

I want to install a proxy server that sits between my employee's computers and the Cisco router.

Naturally I don't want my employee's to know that I'm setting up a proxy server so preferably their IP Address range will not change and neither will their gateway address.

I've been looking at Squid and its transparent proxy service, but from what I understand it will require that when the Cisco router hands out a DHCP address, it will have to change the gateway address to the IP Address of my proxy server.

The proxy server will then receive traffic from my employee's computers, the proxy server will then forward valid requests to the Cisco router.

This is not an ideal solution for me.

Am I misunderstanding how Squid works or is there another solution that I can implement.

Thank you

Jason246
  • 101
  • 3
  • Can you put the proxy in front of the Cisco router between it and the internet? – Ape-inago Oct 08 '13 at 14:32
  • "I don't want my employees to know that I'm setting up a proxy server" - It's understandable from your point of view, but it might make you liable depending where in the world you are. Check with a lawyer or your union/work council (if there is something like that)! – fuero Oct 09 '13 at 05:44
  • @Ape-inago - I've contacted the people who installed my network with the question. If this is possible, Squid will still be setup as a transparent proxy? Will it be possible to still have the Cisco Router doing the DHCP assigning? – Jason246 Oct 09 '13 at 06:49
  • @Jason246 - The idea with putting it in front of the router is that all the traffic going into the router ends up passing through the squid proxy first. But thinking about this, I may have jumped the gun, the proxy in this situation wouldn't know who is sending what traffic without some syndicated login system. I know for fortinet's logging systems, the traffic is tied to the computer's domain login. For guest networks (no dhcp) it presents a login page before it lets you look at the internet. I don't think squid is designed to do it that way. – Ape-inago Oct 09 '13 at 14:14
  • @Ape-inago - Thank you for the help. I guess I have no choice but to go the way of changing the default gateway to point to the proxy box. – Jason246 Oct 10 '13 at 06:33

1 Answers1

1

Use WPAD: http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

Most Windows systems are configured to use WPAD by default. IE, Chrome, and Firefox will respect the system proxy settings. Assuming your users are on a Windows domain with restricted administrator rights, they will be unable to change the system proxy settings or the IE proxy settings, but they would still be able to change the Chrome or Firefox proxy settings if they desired. But they'd have to know they were going through a proxy first.

The biggest problem with the proxy is if they are web developers who access http:// localhost:someport to view the prototype of their application. In that case the proxy will say that said port is unreachable. Otherwise WPAD proxies are fairly transparent to naive end users.

Do note that in my experience web proxies such as Squid, while useful due to programs such as Squidguard that keep users from going to "forbidden" sites, do little to decrease web traffic due to the large amounts of HTML5 and other dynamic uncacheable content on the web today. While they are useful for tracking what IP address is connecting to what content, tying together IP address and the name of the computer that it belongs to (and thus user) will require a DHCP server that logs that information. Microsoft's DHCP server logs that information. As far as I know, Cisco's does not.

eric.green
  • 385
  • 1
  • 4
  • @jason246 shortly yes it might br possible but you need maybe to put a additional device like a router ehich redirect the traffic from 80,443 to i. e. 8080 and deploy the Certificate in case you want to see what tuey do in the ssl session if you only want to log you can use the transparent setup without interception imho – djdomi Mar 14 '20 at 19:06