I am interested in such setup. has someone implemented the same setup with open source authentication helpers instead? Care to share...
Cheers, --AL On Wed, May 7, 2008 at 8:14 AM, Nick Duda <[EMAIL PROTECTED]> wrote: > Ok cool. I'm not concerned about https because that never see's the proxy > server, only http (as of now). > > > > -----Original Message----- > From: Amos Jeffries [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 07, 2008 7:46 AM > To: Nick Duda > Cc: 'squid-users@squid-cache.org' > Subject: Re: [squid-users] Transparent Squid with NTLM auth works, questions. > > Nick Duda wrote: > > I've successfully built and deployed a Transparent squid solution, > failover using WCCP, with the ability to perform NTLM authentication for the > employees transparently (not using PROXYAUTH, using SmartFilters > Authentication processes). We can now have an office that can lose one or > both transparent proxy servers and still browse to the internet as "if all > else fails" using WCCP, maintaining NTLM authentication for ACL's and logging > and perform content filtering. > > > > Couple questions, has anyone else done a setup like this? I'm curious to > deploy this (slated for next week, to an office of 500). We have fully tested > the solution, but we are moving away from using the normal squid NTLM helpers > (no more winbind/samba needed) and curious to what others have seen using > smartfilters ntlm processes under heavy load. One of our offices using > winbind , squid ntlm helper shows about 30-40ntlm requests (which I noticed > is per web request...lots of domain controller talking). > > > > Also, using WCCP is it possible to have squid (with basic routing on the > linux box) send the return reply from the internet out another interface? > > > > Client ----- Switch ----- Router w/WCCP ----- ASA ----- Internet > > | > > |------------squid > > > > (I hope that ascii drawing above comes out ok lol). Client makes request > to google.com. Request hits the router, setup with WCCP and sends it to the > squid proxy, which hangs off its own VLAN from the router. The request goes > through the proxy then back up to the router and out to the internet. The > request from the internet google.com comes back to the router, down to the > proxy......I'd like that to now go back to the client on the interface on the > proxy that is connected to the switch. Is the client going to want to see the > reply coming back through the router to them? > > > > - Nick > > I run a very similar setup here for my wifi clients. Not using NTLM, but > other out-of-band authentications during intercepted requests. > > For HTTP the client won't care where the response comes from. Thats why > transparency works. Other protocols like HTTPS and non-extended FTP fail > though. > > Amos > -- > Please use Squid 2.6.STABLE20 or 3.0.STABLE5 >
