Morning Skunks, For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN and router, so the proxy is part of the LAN). Setting the same in the browser settings is not "fool-proof" [?] The only possibility is to force all LAN stations to pass through the proxy...somehow... Is there a fool-proof way to set the default proxy/route in Windows? Also, how do I restrict LIMITED users from changing the LAN settings? All your help will be appreciated. G.Patronas.
you can set up a transparent proxy. you do this by routing all traffic hitting the gateway to the proxy server... this is actually the ideal setup everyone should use. if you're using squid as your proxy, there are tonnes of tutorials online for this. .... however, i tend to argue against proxy servers, and instead advice on playing around with DNS servers. despite the caching advantage, proxy servers are largely inefficient and end up giving everyone quirky browsing experience if used by many people. if you want to block facebook or porn, why not play around with you're DNS server, and make those domains point to google.com or an internal web server. i noticed this issue while in KU. their proxy server is set to block youtube, download sites and porn... however, it randomly ends up blocking just about any site, or a site's css resources (making sites look ugly), and sometimes shows u a KU branded page blocking some site. speeds are also eratic.... and interestingly, a download may take 30 seconds to start, but when it does, u get amazing speeds. all of these indicate congestion, and lack of a clustered setuo for loaf balancing.... anyways, my point is that plain routers are more efficient than proxies, and a custom DNS can meet a proxy's goals. and besides, the restrictions imposed by a proxy can just as easily be by passed as those imposed by a "mean" DNS server, so there's no real disadvantage for switching. On Feb 18, 2013 10:12 AM, "Garr Patronas" <garr.patronas@gmail.com> wrote:
Morning Skunks,
For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN and router, so the proxy is part of the LAN). Setting the same in the browser settings is not "fool-proof" [?]
The only possibility is to force all LAN stations to pass through the proxy...somehow... Is there a fool-proof way to set the default proxy/route in Windows? Also, how do I restrict LIMITED users from changing the LAN settings?
All your help will be appreciated.
G.Patronas.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Are the workstations in the Active Directory domain? If so, you can use Group policy to push the proxy settings and prevent users from changing the settings. However, it will works on IE. since you cannot place the proxy between LAN and router, you can only block the installation of software (Read firefox, opera) http://social.technet.microsoft.com/wiki/contents/articles/5156.how-to-force... If the workstations are not in domain, you might be forced to use a startup/logon script that sets the proxy settings every time the pc starts/logs in. ./Sam On Mon, Feb 18, 2013 at 10:34 AM, The sherminator <steve.kim41@gmail.com>wrote:
you can set up a transparent proxy. you do this by routing all traffic hitting the gateway to the proxy server... this is actually the ideal setup everyone should use. if you're using squid as your proxy, there are tonnes of tutorials online for this.
.... however, i tend to argue against proxy servers, and instead advice on playing around with DNS servers. despite the caching advantage, proxy servers are largely inefficient and end up giving everyone quirky browsing experience if used by many people. if you want to block facebook or porn, why not play around with you're DNS server, and make those domains point to google.com or an internal web server.
i noticed this issue while in KU. their proxy server is set to block youtube, download sites and porn... however, it randomly ends up blocking just about any site, or a site's css resources (making sites look ugly), and sometimes shows u a KU branded page blocking some site. speeds are also eratic.... and interestingly, a download may take 30 seconds to start, but when it does, u get amazing speeds. all of these indicate congestion, and lack of a clustered setuo for loaf balancing.... anyways, my point is that plain routers are more efficient than proxies, and a custom DNS can meet a proxy's goals. and besides, the restrictions imposed by a proxy can just as easily be by passed as those imposed by a "mean" DNS server, so there's no real disadvantage for switching. On Feb 18, 2013 10:12 AM, "Garr Patronas" <garr.patronas@gmail.com> wrote:
Morning Skunks,
For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN and router, so the proxy is part of the LAN). Setting the same in the browser settings is not "fool-proof" [?]
The only possibility is to force all LAN stations to pass through the proxy...somehow... Is there a fool-proof way to set the default proxy/route in Windows? Also, how do I restrict LIMITED users from changing the LAN settings?
All your help will be appreciated.
G.Patronas.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Sam, No domain, just a very "traditional" LAN. On Mon, Feb 18, 2013 at 11:15 AM, Samuel Wachira <wachirasam@gmail.com>wrote:
Are the workstations in the Active Directory domain?
If so, you can use Group policy to push the proxy settings and prevent users from changing the settings.
However, it will works on IE. since you cannot place the proxy between LAN and router, you can only block the installation of software (Read firefox, opera)
http://social.technet.microsoft.com/wiki/contents/articles/5156.how-to-force...
If the workstations are not in domain, you might be forced to use a startup/logon script that sets the proxy settings every time the pc starts/logs in.
./Sam
On Mon, Feb 18, 2013 at 10:34 AM, The sherminator <steve.kim41@gmail.com>wrote:
you can set up a transparent proxy. you do this by routing all traffic hitting the gateway to the proxy server... this is actually the ideal setup everyone should use. if you're using squid as your proxy, there are tonnes of tutorials online for this.
.... however, i tend to argue against proxy servers, and instead advice on playing around with DNS servers. despite the caching advantage, proxy servers are largely inefficient and end up giving everyone quirky browsing experience if used by many people. if you want to block facebook or porn, why not play around with you're DNS server, and make those domains point to google.com or an internal web server.
i noticed this issue while in KU. their proxy server is set to block youtube, download sites and porn... however, it randomly ends up blocking just about any site, or a site's css resources (making sites look ugly), and sometimes shows u a KU branded page blocking some site. speeds are also eratic.... and interestingly, a download may take 30 seconds to start, but when it does, u get amazing speeds. all of these indicate congestion, and lack of a clustered setuo for loaf balancing.... anyways, my point is that plain routers are more efficient than proxies, and a custom DNS can meet a proxy's goals. and besides, the restrictions imposed by a proxy can just as easily be by passed as those imposed by a "mean" DNS server, so there's no real disadvantage for switching. On Feb 18, 2013 10:12 AM, "Garr Patronas" <garr.patronas@gmail.com> wrote:
Morning Skunks,
For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN and router, so the proxy is part of the LAN). Setting the same in the browser settings is not "fool-proof" [?]
The only possibility is to force all LAN stations to pass through the proxy...somehow... Is there a fool-proof way to set the default proxy/route in Windows? Also, how do I restrict LIMITED users from changing the LAN settings?
All your help will be appreciated.
G.Patronas.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
@sherminator, Just because the network admins at KU did not get things right does not mean proxies are inefficient. You cannot achieve what a proxy server does by using DNS! That is a very new one to me, but from their intended functionalities, I don't see how to even start comparing them. DNS is for name resolution and proxy is for caching content (forward proxy), or masking the source of content (reverse proxy). Proxy servers can act as rudimentary content filters, but true content filtering is achieved by other applications sitting between the proxy and the Internet or whatever source of content. I therefore beg to find your response quite misleading! Oh, and you already read too much into the initial question. I'd have simply limited the answer to the question asked and keep out personal opinions, unless sought, as they are irrelevant at this point:-) On 18 February 2013 10:34, The sherminator <steve.kim41@gmail.com> wrote:
you can set up a transparent proxy. you do this by routing all traffic hitting the gateway to the proxy server... this is actually the ideal setup everyone should use. if you're using squid as your proxy, there are tonnes of tutorials online for this.
.... however, i tend to argue against proxy servers, and instead advice on playing around with DNS servers. despite the caching advantage, proxy servers are largely inefficient and end up giving everyone quirky browsing experience if used by many people. if you want to block facebook or porn, why not play around with you're DNS server, and make those domains point to google.com or an internal web server.
i noticed this issue while in KU. their proxy server is set to block youtube, download sites and porn... however, it randomly ends up blocking just about any site, or a site's css resources (making sites look ugly), and sometimes shows u a KU branded page blocking some site. speeds are also eratic.... and interestingly, a download may take 30 seconds to start, but when it does, u get amazing speeds. all of these indicate congestion, and lack of a clustered setuo for loaf balancing.... anyways, my point is that plain routers are more efficient than proxies, and a custom DNS can meet a proxy's goals. and besides, the restrictions imposed by a proxy can just as easily be by passed as those imposed by a "mean" DNS server, so there's no real disadvantage for switching. On Feb 18, 2013 10:12 AM, "Garr Patronas" <garr.patronas@gmail.com> wrote:
Morning Skunks,
For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN and router, so the proxy is part of the LAN). Setting the same in the browser settings is not "fool-proof" [?]
The only possibility is to force all LAN stations to pass through the proxy...somehow... Is there a fool-proof way to set the default proxy/route in Windows? Also, how do I restrict LIMITED users from changing the LAN settings?
All your help will be appreciated.
G.Patronas.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler.
On Mon, Feb 18, 2013 at 9:34 AM, The sherminator <steve.kim41@gmail.com> wrote:
you can set up a transparent proxy. you do this by routing all traffic hitting the gateway to the proxy server... this is actually the ideal setup everyone should use. if you're using squid as your proxy, there are tonnes
He just mentioned the proxy has to be on the LAN, not inline.
of tutorials online for this.
.... however, i tend to argue against proxy servers, and instead advice on playing around with DNS servers. despite the caching advantage, proxy servers are largely inefficient and end up giving everyone quirky browsing experience if used by many people. if you want to block facebook or porn, why not play around with you're DNS server, and make those domains point to google.com or an internal web server.
What?
i noticed this issue while in KU. their proxy server is set to block youtube, download sites and porn... however, it randomly ends up blocking just about any site, or a site's css resources (making sites look ugly), and sometimes shows u a KU branded page blocking some site. speeds are also eratic.... and interestingly, a download may take 30 seconds to start, but when it does, u get amazing speeds. all of these indicate congestion, and lack of a clustered setuo for loaf balancing.... anyways, my point is that plain routers are more efficient than proxies, and a custom DNS can meet a proxy's goals. and besides, the restrictions imposed by a proxy can just as
Again, what? A broken proxy setup does not mean all proxies are bad. BR, S
On 18 February 2013 10:11, Garr Patronas <garr.patronas@gmail.com> wrote:
Morning Skunks,
For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN and router, so the proxy is part of the LAN). Setting the same in the browser settings is not "fool-proof" [?]
The only possibility is to force all LAN stations to pass through the proxy...somehow... Is there a fool-proof way to set the default proxy/route in Windows? Also, how do I restrict LIMITED users from changing the LAN settings?
All your help will be appreciated.
G.Patronas.
1. Cisco Router+WCCPv2+Squid. 2. For Windows in AD environment, GPO to get proxy.pac files loaded for browsing. That is foolproof to me. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler.
On Mon, Feb 18, 2013 at 9:11 AM, Garr Patronas <garr.patronas@gmail.com> wrote:
Morning Skunks,
For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN and router, so the proxy is part of the LAN).
What's your router make & model? BR S
Cisco 2811 On Tue, Feb 19, 2013 at 8:57 AM, Steve Muchai <smuchai@gmail.com> wrote:
On Mon, Feb 18, 2013 at 9:11 AM, Garr Patronas <garr.patronas@gmail.com> wrote:
Morning Skunks,
For the Windows geeks out there, Setup: I have a LAN with XP & Vista workstations. Problem: I need to force all network traffic via a proxy (for reasons beyond my control, we can't place the proxy "directly" between the LAN
and
router, so the proxy is part of the LAN).
What's your router make & model?
BR S _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
On Tue, Feb 19, 2013 at 8:12 AM, Garr Patronas <garr.patronas@gmail.com> wrote:
Cisco 2811
The options that come to mind: 1. Create an access-list that denies Internet access to all machines apart from the proxy. That way nobody can browse unless they use the proxy. 2. Configure NAT for the proxy's IP address only, same effect as above. 3. Configure WCCP between the router and the proxy (assuming your proxy has WCCPv2 support). Downside with this is that if the proxy is down there's a possibility the other machines will be allowed to pass through, unless you combine this with #1 above. BR S
@Odhiambo Washington "The sherminator" could have a point. Most people run proxies to filter out content like "blacklisted" sites, and not for caching. Its very likely why the given example, KU, runs a proxy. In fact, many large setups do not cluster proxy services leading to poor surfing experiences for everyone.... anyways.... i second him. If you want to use a proxy to block some sites/content, having a local DNS server with blacklisted domains would be more efficient (no need for proxy servers equals reduced capital and running costs) To answer this thread's first question... transparent proxy. google it. On Tue, Feb 19, 2013 at 10:33 AM, Steve Muchai <smuchai@gmail.com> wrote:
On Tue, Feb 19, 2013 at 8:12 AM, Garr Patronas <garr.patronas@gmail.com> wrote:
Cisco 2811
The options that come to mind: 1. Create an access-list that denies Internet access to all machines apart from the proxy. That way nobody can browse unless they use the proxy. 2. Configure NAT for the proxy's IP address only, same effect as above. 3. Configure WCCP between the router and the proxy (assuming your proxy has WCCPv2 support). Downside with this is that if the proxy is down there's a possibility the other machines will be allowed to pass through, unless you combine this with #1 above.
BR S _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (6)
-
Garr Patronas -
John Doe Smith Kamau KipNg'etich Jones -
Odhiambo Washington -
Samuel Wachira -
Steve Muchai -
The sherminator