Author Topic: Configuring Zental as a Proxy Server  (Read 1536 times)

0oOo0

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Configuring Zental as a Proxy Server
« on: May 12, 2013, 09:47:53 am »
Hi

I work as a systems integrator and my boss is considering using Zentyal to replace Windows SBS in our corporate clients networks.  He has recently asked me to configure a zentyal server on my home network as a Proxy Server as if it were for one of our already established corporate networks. 

No problems installing it and gettting internet access, but connected devices can not get out to the internet when connected to the proxy server.  I can't even ping the server successfully now that I have configured it as a proxy.  I have done a search and tried following this guide: http://doc.zentyal.org/en/proxy.html

Set up is as follows:
DGN2200 Modem router connected to an ADSL line: DHCP disabled. 
Firewall rules
Outbound Services: allow all
Inbound Services: Block always

Unmanaged Ethernet Switch connected to the DGN2200

Zental Server (core version 2.2.9) connected to the Switch: upgraded with apt-get update && apt-get upgrade
Module Status:
Network    Running
Firewall    Running
Antivirus    Disabled
Apache    Running
Certification Authority    Not created
Zentyal Cloud Professional Package    Installed
DHCP    Running
DNS    Running
Backup    Running
Events    Running
Logs    Running
Monitoring    Running
VPN    Running unmanaged
Zentyal Cloud Client    Subscribed
HTTP Proxy    Running
Traffic Shaping    Disabled
Users and Groups    Running

HTTP Proxy General Settings
Transparent Proxy:    yes
Ad Blocking: no
Remove advertisements from all HTTP traffic: no
Port: 3128
Cache files size (MB): 40960
Default policy: Always Allow

Packet Filter > Internal Networks
Decision: allow any source, destination and service

Traffic Filter > Traffic coming out from Zentyal
Decision: Allow any destination or service. 

Packet Filter > Rules added by Zentyal services (Advanced)
Enabled    Type    Module    Condition    Decision    Action
   Output    HTTP Proxy    -m state --state NEW -p tcp --dport 443    ACCEPT    
   Output    HTTP Proxy    -m state --state NEW -p tcp --dport 80    ACCEPT    
   Output    VPN    --protocol tcp --destination-port 80    ACCEPT    

DHCP
Default gateway: Zentyal
Search domain: None
Primary nameserver: local Zentyal DNS    
Secondary nameserver: 8.8.8.8
NTP server: None
WINS server: None

DNS
Enable Transparent DNS Cache: Yes
Forwarders: none
Domains: none

Domain Name Server Resolution:
127.0.0.1
8.8.8.8

Anything I've missed?  Ask me to list it. 

-_-
a

christian

  • Guest
Re: Configuring Zental as a Proxy Server
« Reply #1 on: May 12, 2013, 10:01:42 am »
Nice clear post still you may even improve it a little bit by telling us:
- what is your network design behind Zentyal
- how did you configure Zentyal interfaces.

What I mean it that you describe with lot of detail part of your infrastructure between Zentyal and internet and this one works as Zentyal can access internet but you do not (except if I misunderstood) part between Zentyal and client, unfortunately, this is the one failing  :-\

If goal is HTTP proxy test only, then you can also have much lighter deployment.
Some modules are not involved like Cloud related modules or even users & groups

BTW, does it work when you disable HTTP proxy module ?

0oOo0

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Configuring Zental as a Proxy Server
« Reply #2 on: May 12, 2013, 11:32:51 am »
Network design behind Zentyal
I'm sorry, I'm not sure what you are asking about.  You want to know what servers are running or the network size and media type etc... ?

Zentyal interface configuration
n.b. I orginally had two ethernet ports on the server, an on-board and a plug in.  My boss has asked me to set it up using only one ethernet port as this what will be required of us when we deploy. 

Interfaces
Name: eth0
Method: Static
External (WAN): yes
IP address: 192.168.0.2
Netmask: 255.255.255.0
Virtual Interfaces: none

Gateways Configuration:
Enabled    Name    IP address    Interface    Weight    Default
   yes   ISR            192.168.0.1    eth0    1            yes           
   
Proxy
Username: <left blank>
Password: <left blank>
Proxy server: <left blank>
Proxy port: 8080


Domain Name Server Resolution
127.0.0.1    
8.8.8.8

Objects
None

Services
Service name                         Description    
HTTP                                 HTTP       
adsync                                 --       
any                                         any protocol and port       
any TCP                                 any TCP port       
any UDP                                 any UDP port       
dhcp                                 --       
dns                                        Domain Name Service       
eBox administration         Zentyal Administration Web Server       
ldap                                 --       
ssh                                          SSH

Static Routes
None

DDNS
Enable Dynamic DNS: yes
Service: Zentyal Cloud
Username: <blank>   
Password: <blank>   
Hostname: <blank>

Does it work when I disable the HTTP proxy module?  No.  I think that's because the clients are recieving a DHCP configuration from Zentyal which tells them to set it's interface IP Address as the default gateway.  If I set them statically to point to the router/modem (DGN 2200) at 192.168.0.1 I can get out to the internet.

End


a

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 862
  • Karma: +57/-0
    • View Profile
Re: Configuring Zental as a Proxy Server
« Reply #3 on: May 12, 2013, 06:35:01 pm »
I think Christian is trying to get at what your network topology is.  It looks like you are setup using just one NIC behind a router that opens all ports.  All devices (including router) are plugged into the same switch?

christian

  • Guest
Re: Configuring Zental as a Proxy Server
« Reply #4 on: May 12, 2013, 08:43:07 pm »
Much clearer now.
As half_life explains, it looks like your network is flat behind your router. All devices including Zentyal have direct access to internet.

Transparent proxy with such topology is quite complex and requires, at least, that Zentyal is your default gateway.

What do you expect from Zentyal with such design?
- There is no firewall
- proxy may work as explicit proxy but not (well, not easily) as transparent one

I strongly suggest that:
- you set up your Zentyal server with at least 2 NIC
- you read a  it of Zentyal documentation that is showing some examples.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 862
  • Karma: +57/-0
    • View Profile
Re: Configuring Zental as a Proxy Server
« Reply #5 on: May 12, 2013, 09:40:34 pm »
He can still achieve a full firewall if the switch handles vlans.  If the router has decent firewall capabilities he can set it up to only speak to the Zentyal machine and one other "secret" IP for safety purposes.

christian

  • Guest
Re: Configuring Zental as a Proxy Server
« Reply #6 on: May 12, 2013, 10:51:04 pm »
Sure from pure technical standpoint, this can be done however, let's be honest, such design is much more complex and can't be safely handled without significant technical knowledge and background.
At least from my standpoint  8)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 862
  • Karma: +57/-0
    • View Profile
Re: Configuring Zental as a Proxy Server
« Reply #7 on: May 12, 2013, 11:00:10 pm »
He said up front that he is a systems integrator. I agree that it is much easier to setup a gateway with two nics but it isn't necessary. 

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 862
  • Karma: +57/-0
    • View Profile
Re: Configuring Zental as a Proxy Server
« Reply #8 on: May 12, 2013, 11:06:33 pm »
Sure from pure technical standpoint, this can be done however, let's be honest, such design is much more complex and can't be safely handled without significant technical knowledge and background.
At least from my standpoint  8)

All in a days work.  Right Christian?