Author Topic: HTTP Proxy not authenticating  (Read 3809 times)

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
HTTP Proxy not authenticating
« on: August 24, 2012, 03:47:48 pm »
I have setup my Zentyal to be an AD slave and I has successfully synced all users and groups but when I set the proxy to "Authorize and Filter" and create a filter policy that is only applied to my "Sales" group to deny a few sites it is not working at all. Is there something else I need to do to get it to authenticate?

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #1 on: August 27, 2012, 02:26:16 pm »
Does anyone have any idea. I know my AD synchronization is working because I can change a users password and it'll sync it to zentyal. How do I get the users of my "sales" group to authenticate?

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #2 on: August 27, 2012, 03:05:01 pm »
You should perhaps:
- ensure that proxy is used
- FW rules do not permit direct access to internet
- ensure "transparent proxy" is not set
- ensure there is no profile authorizing free access (I mean w/o authentication)

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #3 on: August 27, 2012, 05:29:55 pm »
I confirmed it is working for sure by setting my pc to go through the proxy. I setup a port forward rule to forward all 80 and 443 traffic to go to 3128. It seems though that the firewall changes don't ever take effect until after the firewall is rebooted. I added the rules and saved them and even manually restarted the firewall service and the rules haven't taken effect. I also had some other VOIP forwards that I had trouble getting working until I decided to reboot and then they were working. I can't reboot everytime I need to add a rule.

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #4 on: August 27, 2012, 05:45:23 pm »
Either I really don't understand what you are trying to achieve or my guess is correct and you are wrong with your approach. Let me explain:
Using proxy can be done either in transparent or explicit mode.

In transparent mode, browser (and user) is not aware of any proxy in the middle as this feature relies on network redirect. Because of this, authenticating is not an option.
In explicit mode, you have to configure your browser to use explicitly proxy or use auto discovery mode like WPAD.

Back to transparent mode (although it doesn't match your requirement that is to apply profiling to some users): do not bother inventing rules like redirect at FW level. You can do it very easily by selecting "transparent" mode in HTTP proxy section.

Last but not least, do you mean that saving changes doesn't apply rules? I almost never reboot my server although I do change FW rules from time to time...  ???

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #5 on: August 27, 2012, 05:57:08 pm »
Yes I have to have rules applied only to certain groups so I need authentication. and I will look into WPAD.
As far as the firewall settings I noticed it when I was setting up port forwarding for external ip phones to access our internal phone server. I setup all my ports and noticed it was not working. I even created a service and added all the ports and configured rules to allow them through and it still didn't work so I decided to restart the firewall late that night. Low and behold it started working right after a reboot. Now I was trying to force port 80 and 443 to go to 3128 through a port forward and it didn't work after a save, and I can't reboot in the middle of the day.

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #6 on: August 27, 2012, 06:42:36 pm »
Are you setting these port forwarding rules in order to offer HTTP proxy service to external users? If no, I don't why such rules are required. If yes, then your approach is, at least to me, wrong. You should either rely on VPN and use internal proxy or have your proxy listening on external interface.
In such case, notice that implementing WPAD for external users is a bit tricky  ;) and strange  ::)

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #7 on: August 27, 2012, 10:44:14 pm »
OK I have followed the doc http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign

and if I manually specify the pac file at http://wpad.mydomain.com/proxy.pac in my client browsers it works. I have also setup the DNS records for wpad, but I can't seem to get that to take effect I have restart my client (windows 7) a few times. It just wont seem to auto configure itself. Any ideas?

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #8 on: August 27, 2012, 11:05:19 pm »
You should rather try with wpad.dat instead of proxy.pac.
Then what happens if you type http://wpad in your browser ?
What does your wpad.dat file contain ?
« Last Edit: August 27, 2012, 11:07:12 pm by christian »

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #9 on: August 27, 2012, 11:14:55 pm »
I had proxy.pac and wpad.dat in the root because I wasn't sure exactly which one the clients request. This may be my issue. I created a vitrual host on my zentyal install to go to wpad.mydomain.com. I put a test index file there to make sure it works and it resolves when I go to http://wpad.mydomain.com, but when I type http://wpad it resolves to the default first site on zentyal because the dns A record points to the ip of the zentyal server. So it would depend how clients request the autoconfiguration I guess.

The contents of the file are just this:
function FindProxyForURL(url, host)
{
   return "PROXY 10.20.20.1:3128";
}

Which is the IP of my zentyal server. Like I said before when I manually specify the wpad.dat or proxy.pac file on the client it will successfully block the sites that need blocked.

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #10 on: August 27, 2012, 11:34:13 pm »
Unfortunately, if you look at Microsoft technet here, you will notice that Microsoft's implementation relies on http://wpad/wpad.dat :-[
As a workaround, what I suggest is that you create one virtual IP attached to your internal interface and:
- create "wpad" virtual host listening on this IP
- ensure wpad.dat file is as the root of this web site
- set up DNS so that wpad A record points to this virtual IP
- then try http://wpad again  8)

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #11 on: August 27, 2012, 11:43:40 pm »
hint: are you sure your client fqdn matches host.yourdomain.something ?
I'm asking because DNS lookup is based on client's fqdn  ;)

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #12 on: August 28, 2012, 12:21:45 am »
Yes my zentyal install and client and servers are all on the same domain. I created the virtual ip address and changed the DNS A record for wpad to be the new ip (10.20.20.2). Which I can ping. And I can ping wpad and wpad.mydomain.com and both resolve to 10.20.20.2. My problem is still my virtual host. I changed the virtualhost to be <VirtualHost 10.20.20.2:80> so it is listening on that address yet it still resolves to the default site of zentyal for http://wpad?

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #13 on: August 28, 2012, 12:31:33 am »
cache related issue ?
How is it that you resolve "wpad" as 10.20.20.2 but reach zentyal default server when accessing wpad?
Some typo somewhere or virtual host misconfiguration?

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #14 on: August 28, 2012, 12:37:00 am »
I don't think there is a misconfiguration. I double checked all the setting I have described. How do I clear the cache? I didn't see a way to do it in the gui.