If your ASL box is the only gateway to internet it's quite easy.
On ASL box : - in packet filter do not allow HTTP/FTP/HTTPS trafic from internal to outside (on rule like "internal->any,http (or https or htp),allow" or "Internal->any,any,allow") - activate HTTP proxy in standard or transparent mode, just keeping internal as allowed network in proxy settings.
NB:If you choose Standard mode, you will also have to change proxy parameter of the web browsers in your internal network. If you choose Tranparent mode only HTTP trafic is handle by the ASL proxy, so you may have to add specific packet filter rules on ASL for FTP and HTTPS trafic if needed.
is it a windows network we are talking about? If so, is there a domain-controller? You can solve it then wit de GPO in the AD and fix it, so that the users can´t change the proxy-settings. p.s.: this only works with IE.
If you opt for the solution with the transparent HTTP proxy, then your users won't be able to use any other proxy, e.g. all HTTP traffic is forced through your proxy. The nice thing is that you do not set any proxy parameters in your clients. The drawback with transparent proxying is that it does not support HTTPS, as I understand.
I have ASL V5.008 running on a HP DL320 which serves our training facility with some 50 clients over a 4 Mbit/s Internet connection. These clients are all forced to browse via the transparent HTTP proxy that performs URL filtering (option Surfprotection).
This setup is up since 10 days and works stable so far (was running ASL V4.021 before). But I did not dare to switch on also Anti Virus checking, as there are still issues with that option.
ace, you will read this (astaro live help V4 and V5 ) : "In Transparent mode, the proxy will handle all traffic passing the firewall on port 80. In this mode, the clients do not need to enter the proxy in their browser configuration. Please note that the proxy cannot handle FTP and HTTPS (secure) requests in this mode. If your clients want to access such services, you must open the respective ports (21 and 443) in the packet filter."
In transparent mode, HTTPS and FTP trafics do not go through ASL proxy and of course are not scanned/filtered.
ace, you will read this (astaro live help V4 and V5 ) : "In Transparent mode, the proxy will handle all traffic passing the firewall on port 80. In this mode, the clients do not need to enter the proxy in their browser configuration. Please note that the proxy cannot handle FTP and HTTPS (secure) requests in this mode. If your clients want to access such services, you must open the respective ports (21 and 443) in the packet filter."
In transparent mode, HTTPS and FTP trafics do not go through ASL proxy and of course are not scanned/filtered.
Thanks for the response on my question. The HTTP proxy was already configured as being transparant. The only problem is if users manually change their gateway. We are running a Windows 2003 Domain Controller with AD, so GPO would be an option, unfortunately I didn't find much information about how to implement this particular thing. Maybe somebody knows how to implement it, or that there is another solution.
then you should disallow users to change the gateway by local rights management or with als packetfilter rules.
the ad´s gpo version would be applicable if http proxy is in standard (or user authentication) mode.
Actually they will - the trick is to make Astaro "think" HTTPS is HTTP by forwarding it through an intermediary proxy or somethng like a popup blocker (I use Proxomitron). FTP might be a bit trikier, have not tried to figure that out. Not sure why you would want to do that....
