I'm looking for some feedback on a proposal to allow Internet based workstations access to our Internal web proxy.
Problem:
We've got several road warriors that spend all day surfing instead of working. Their laptops do not need access to any internal resources (don't need VPN), but their manager wants to be able to monitor/restrict access to where they're browsing.
Environment:
Our Astaro web proxy sits on a DMZ with firewall rules permitting proxy access from Internal networks, and permitting the Astaro to do EDirectory authentication to our LDAP server.
Solution:
NAT an address for the Astaro Web proxy to be accessible from the Internet. Add firewall rules to permit web proxy from Internet. Ensure that auditing is enabled in E-Directory to show when an account has been locked out by password guessing.
Does anyone see any issues with the setup? I'm mostly concerned about the idea that someone could start guessing user credentials at the proxy logon, and then use the discovered credentials to attack another EDirectory integrated service.
Are there any known exploits attacking the HTTP proxy port?
This thread was automatically locked due to age.
