Ok cool. I'm not concerned about https because that never see's the proxy server, only http (as of now).
-----Original Message----- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 07, 2008 7:46 AM To: Nick Duda Cc: 'squid-users@squid-cache.org' Subject: Re: [squid-users] Transparent Squid with NTLM auth works, questions. Nick Duda wrote: > I've successfully built and deployed a Transparent squid solution, failover > using WCCP, with the ability to perform NTLM authentication for the employees > transparently (not using PROXYAUTH, using SmartFilters Authentication > processes). We can now have an office that can lose one or both transparent > proxy servers and still browse to the internet as "if all else fails" using > WCCP, maintaining NTLM authentication for ACL's and logging and perform > content filtering. > > Couple questions, has anyone else done a setup like this? I'm curious to > deploy this (slated for next week, to an office of 500). We have fully tested > the solution, but we are moving away from using the normal squid NTLM helpers > (no more winbind/samba needed) and curious to what others have seen using > smartfilters ntlm processes under heavy load. One of our offices using > winbind , squid ntlm helper shows about 30-40ntlm requests (which I noticed > is per web request...lots of domain controller talking). > > Also, using WCCP is it possible to have squid (with basic routing on the > linux box) send the return reply from the internet out another interface? > > Client ----- Switch ----- Router w/WCCP ----- ASA ----- Internet > | > |------------squid > > (I hope that ascii drawing above comes out ok lol). Client makes request to > google.com. Request hits the router, setup with WCCP and sends it to the > squid proxy, which hangs off its own VLAN from the router. The request goes > through the proxy then back up to the router and out to the internet. The > request from the internet google.com comes back to the router, down to the > proxy......I'd like that to now go back to the client on the interface on the > proxy that is connected to the switch. Is the client going to want to see the > reply coming back through the router to them? > > - Nick I run a very similar setup here for my wifi clients. Not using NTLM, but other out-of-band authentications during intercepted requests. For HTTP the client won't care where the response comes from. Thats why transparency works. Other protocols like HTTPS and non-extended FTP fail though. Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE5
