I have a customer where they had set up their network with fixed IPs to enforce certain rules when they had Cisco Pix's. I replaced that with an ASG 220 several years ago, and the admin at the time didn't want to redo that structure, so he configured the Proxy in Transparent mode, adding several Proxy Profiles based on manually-assigned subnets. My plan: Configure the new Proxy Profiles; temporarily leaving the old ones in place. Activate a GPO that sets client browsers to use the Astaro Proxy on port 8080. wait for all occurences of user="" to disappear from the Content Filter logfile. Delete the old Transparent-mode Proxy Profiles. I'm pretty sure it works like that, but it's been awhile siince I did this. Does anyone see something that I've overlooked? Thanks, everyone! Cheers - Bob

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Invisible" Transition of Proxy Profiles from Transparent to AD-SSO

I have a customer where they had set up their network with fixed IPs to enforce certain rules when they had Cisco Pix's. I replaced that with an ASG 220 several years ago, and the admin at the time didn't want to redo that structure, so he configured the Proxy in Transparent mode, adding several Proxy Profiles based on manually-assigned subnets.

My plan:

Configure the new Proxy Profiles; temporarily leaving the old ones in place.
Activate a GPO that sets client browsers to use the Astaro Proxy on port 8080.
wait for all occurences of user="" to disappear from the Content Filter logfile.
Delete the old Transparent-mode Proxy Profiles.

I'm pretty sure it works like that, but it's been awhile siince I did this. Does anyone see something that I've overlooked?

Thanks, everyone!

Cheers - Bob

This thread was automatically locked due to age.

0 techuser over 14 years ago

What if you activated the GPO first (the default port is 8080), and then changed the mode of the old profiles to SSO without deleting them.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 14 years ago

Oops!  Thanks, techuser.  I was playing with SOCKS, so I used the wrong port - I've fixed that now.

I think the problem is that the GPO is considered only when someone logs on.  Some people don't log out every day, so, even if we did the switch at night, some people would gripe.  I think that the old profiles would need more than a mode change.  Presently, each group has its own profile beased on manually-configured IP addresses.  In place of them, we would need a new one that has a different Filter Assignment for each AD group, and that applies to the IP-range of the DHCP server.

Thanks for that question.  You make me realize that I need to add the AD-SSO-based filter assignments to the existing profile for the IP-range of the DHCP server, and that the new Filter Assignments must be at the top of that Profile above the current one.  Either that, or the new DHCP IP-range must be outside of all the old ranges.

Two "Aha!" revelations with a single, one-line post - techuser, youdaman!

I'm glad I asked here.  Astaro support missed that.  Anyone else?

Cheers - Bob
PS When I'm done, I'll add an article in the KnowledgeBase with a note about the excellent help here!

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel