Hi,
Has anyone had any experience, or know of any gotchas, while implementing
WebBlocker on a Watchguard Firebox II that has Microsoft Proxy 2.0 (on NT,
now used for caching) sitting between the clients and the firewall? There
appears to be no blocking occurring at all -- any user class ("student" or
"staff") at any time of the day can access any website. (It lets you assign
groups based upon the NT Server users and groups.)
The setup is as follows:
DHCP Client PCs -> Switch -> MS Proxy -> Watchguard -> ISDN -> Internet
The Firebox is a new addition to the setup above (a secondary school
requiring content control with Student and Staff group access). Prior to our
installation yesterday, they had the Proxy box (imaginatively named "PROXY")
connecting straight to their ISP, so have the MS Proxy Client installed on
each of their PCs (pointing to "http://proxy:80"). We took the WAN side IP
address of the Proxy box and assigned it to the WAN interface of the Firebox
and have disabled the former WAN-side NIC on the Proxy box.
After fixing up the routing (they have 2 VLANs that required some
reconfiguring), we managed to get the WebBlocker software to automatically
download the "non-preferred URL" database from the appropriate
watchguard.com host (as required), all DNS and other allowed services are
find, but still no joy with content blocking.
While using Host Viewer to examine inbound and outbound connections, we can
see PROXY connecting to whichever sites we try (www.sex.se,
www.persiankitty.com, etc [don't ask ;)]). It's not showing the IP of the PC
originating the connection in the viewer, so we suspect it may be an
authentication issue as it could be that the WebBlocker software is seeing
the username of the Proxy Service originating a HTTP request, instead of the
client PC's username, so doesn't see the need to block it.
I've as yet been unable to verify this, but I was hoping for some input on
this matter. I'm not that familiar with integrating MS Proxy with any form
of content control, and WebBlocker is a completely new experience. (Yeah, I
know training would help...)
If anyone can offer any input, I'd be greatly appreciative. If I've omitted
any information that would be useful, just let me know.
TIA,
--
Matt Bruce
Network Engineer
Network Services, AlphaWest
"The gene pool could use a little chlorine."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
