Squid proxy basic help

charold

charold

Limp Gawd
Joined
Sep 7, 2011
Messages
314
I've inherited a network, and am new to Squid Proxy server. I have, what appears to be, a relatively simple question I cannot figure out. How does my traffic get routed through the Squid proxy?

It is not inline (it's actually a VM) - the default gateway is my internet facing firewall
The firewall does not route anything through the proxy (it sees it as just another client device)
No GPOs that changes LAN Connection settings in Internet Properties
There are no other routers in the network

Clients are configured as "Auto Detect Settings" in Lan Settings.


I've exhausted the ways I know how to route internet traffic through a proxy server. If this server goes down, users internet access is down. If I select no proxy server in my browser, I can bypass it entirely and access the internet. So I guess, what is doing the auto-detecting, or how is it auto-detecting my squid proxy? I'm thinking through DNS maybe?

Any help is greatly appreciated!
 
What Ryuujin said, WCCP would cause this.

You say there are no other routers on the network, but what about a L3 switch? If so, it is highly likely the previous administrator was using a policy-based route (PBR) to direct all traffic with destination ports of 80 and 443 to Squid.
 
Cmustang87 said:
What Ryuujin said, WCCP would cause this.

You say there are no other routers on the network, but what about a L3 switch? If so, it is highly likely the previous administrator was using a policy-based route (PBR) to direct all traffic with destination ports of 80 and 443 to Squid.
Click to expand...
That would not change when "Auto Detect Settings" was unchecked.
So that's not it.
That is also why transparent proxy does not fit either.
If it was set using group policy it would be locked so that is not it either.

WPAD with option 252 in dhcp is what fits best to what is happening.
 
Thanks for all the great suggestions!

It was option 252 in DHCP!

Turned out, I export the DHCPDB using netsh on the old Win 2000 server it was running (yup....), and imported it into the one of the DCs using netsh as I've done many times in the past. Turns out, that does not import the Scope Options, like this option set, so I had a few machines here and there that weren't hitting the proxy, or were having other weird issues. This seems like it should do the trick.

Any suggestions/recommendations on whether I should leave the DHCP option here, or use GPOs, or some other method? I like the inline option probably the best, otherwise I'd rather use GPOs as it's easier to manage and update vs the way Windows 7 and DHCP tend to be a PITA sometimes.

Thanks again!
 
Typically people use Option 252 (wpad) for guest networks, or "BYOD" so they can filter devices not under Admin control.

If these are all devices on the domain being filtered, pushing proxy settings via GPO is a better bet.

If you are looking to go inline, you'll have to ensure you have the appropriate NIC configuration (1:1 binding). Going inline isn't necessary if you already plan on using proxy settings. If you go inline, you can use it as a transparent device without managing any GPO settings for proxy server.
 
Cmustang87 said:
Typically people use Option 252 (wpad) for guest networks, or "BYOD" so they can filter devices not under Admin control.

If these are all devices on the domain being filtered, pushing proxy settings via GPO is a better bet.

If you are looking to go inline, you'll have to ensure you have the appropriate NIC configuration (1:1 binding). Going inline isn't necessary if you already plan on using proxy settings. If you go inline, you can use it as a transparent device without managing any GPO settings for proxy server.
Click to expand...

We have MDM on all corporate devices, which has it's own content filtering enabled while on our network and I would prefer to not have it go through the proxy. If it's not managed it is on the public VLAN anyways. The public VLAN has filtering through our Meraki firewall, and does not have option 252 set in the DHCP options either (even though the Proxy is on both internal and public VLANs).

There are a LOT of discrepancies and standards not followed through on this network. I've basically been given free reign to change, optimize, reconfigure as needed as long as it's within budget and is approved by the Director (who leaves 90% of the decision up to me anyways).

Honestly, i'm debating whether I want to keep the squid proxy in place. We have content filtering abilities on our Cisco Meraki MX80 firewall, which requires no client side configuration at all. It also has AD authentication, which is not in use, but can be enabled. My main concern was that I couldn't figure out how clients were getting redirected to the proxy. The only other concerns are that I need accurate reporting, and whether this would put too much additional load on the Meraki firewall. I'm working on determining whether this can be done through the Meraki, and will make further recommendations as they come.

Thanks again for the suggestion Cmustang87
 
I would do it using the transparent proxy method if you decide not to do it on the firewall itself.
Myself I consider anything done on a client pc even using GPO to be insecure.
Using a transparent proxy or at the firewall makes sure you catch all traffic even if someone connects their own device or a computer is otherwise not on the domain or running the MDM,
You can do it multiple ways at the same time, wpad, GPO and transparent proxy saves some traffic to the router and catches all traffic would be good if not doing it at the firewall itself.
 
Last edited:
You must log in or register to reply here.
Back
Top