Hey - I'll add my $.02 to this discussion for what it is worth. It will take a little explaining, so It will be a little lengthy. Here it goes:
All devices being equal, I would agree with Bob's viewpoint (AD/eDir SSO has far greater functionality and utility value with standard mode, so why would you want to do it in transparent mode?)
However, all devices are not equal - specifically the new generation of mobile devices. We have recently had an influx of Apple IOS devices (iPads, iPhones, iPods), and these devices with IOS 5 and up DO NOT cooperate at all with proxy settings. While Apple did provide an OS level proxy setting, MANY (and I mean probably the majority) of the apps DO NOT heed this proxy setting and will attempt to communicate over good old port 80 or 443. This makes standard mode useless for these devices (unless setting up a gazillion static addresses and making tons of firewall exception rules is your idea of fun). I have heard (but have no firsthand experience) that Android OS devices behave in a similar fashion.
My only recourse to make these work on our school network and still be able to filter them is to make a separate wireless subnet and then place that in transparent mode. The obvious disadvantage is all the loss of user based logging capabilities unless authenticated as well as a reliable user authentication method (transparent mode only allows the browser-based pop-up with a "countdown timer" and client mode authentication. Since there is no Astaro client for IOS, we are left with the browser authentication. I attempted to use this, but the countdown timer is impractical for use in a K-12 school district. Set it too short and it is annoying and disrupts classroom activities. Set it too long and you are at risk of having the device change hands and grant the next user rights levels of the previous (do I need to go into the problems that could ensue if a student picked up an iPad that still had a teacher/administrator countdown active on its IP address).
Anyway - sorry for the long-winded post, but I think it illustrates why some of us feel the need for a SSO or a better authentication method for transparent proxy (I'd be happy with an IOS client app for Astaro). These devices are gaining wildly in popularity (especially in schools!) and are not going to go away - just increase in numbers.
Hey - I'll add my $.02 to this discussion for what it is worth. It will take a little explaining, so It will be a little lengthy. Here it goes:
All devices being equal, I would agree with Bob's viewpoint (AD/eDir SSO has far greater functionality and utility value with standard mode, so why would you want to do it in transparent mode?)
However, all devices are not equal - specifically the new generation of mobile devices. We have recently had an influx of Apple IOS devices (iPads, iPhones, iPods), and these devices with IOS 5 and up DO NOT cooperate at all with proxy settings. While Apple did provide an OS level proxy setting, MANY (and I mean probably the majority) of the apps DO NOT heed this proxy setting and will attempt to communicate over good old port 80 or 443. This makes standard mode useless for these devices (unless setting up a gazillion static addresses and making tons of firewall exception rules is your idea of fun). I have heard (but have no firsthand experience) that Android OS devices behave in a similar fashion.
My only recourse to make these work on our school network and still be able to filter them is to make a separate wireless subnet and then place that in transparent mode. The obvious disadvantage is all the loss of user based logging capabilities unless authenticated as well as a reliable user authentication method (transparent mode only allows the browser-based pop-up with a "countdown timer" and client mode authentication. Since there is no Astaro client for IOS, we are left with the browser authentication. I attempted to use this, but the countdown timer is impractical for use in a K-12 school district. Set it too short and it is annoying and disrupts classroom activities. Set it too long and you are at risk of having the device change hands and grant the next user rights levels of the previous (do I need to go into the problems that could ensue if a student picked up an iPad that still had a teacher/administrator countdown active on its IP address).
Anyway - sorry for the long-winded post, but I think it illustrates why some of us feel the need for a SSO or a better authentication method for transparent proxy (I'd be happy with an IOS client app for Astaro). These devices are gaining wildly in popularity (especially in schools!) and are not going to go away - just increase in numbers.
