[SOLVED] Zentyal 3.2 and HTTP PROXY non transparent mode

[sudel]

Good morning to everyone. I've tryed to switch my server installation from ClearOS to Zentyal.
I followed these step:
- installation of zentyal 3.2 final 64 bit first (but 32bit and vitual machine later too) on a two lan machine (ext and lan)
- select ”infrastructure” installation (dhcp server and http proxy)
- enable DHCP server on internal lan end set a static IP for wan (i tryed as dhcp client too)
- leave all firewall setting as is
- add a user in “users and group” module (in or out of a group)
- leave http proxy as default “non transparent” setting (port 3128)
- launch browser on a client machine from internal lan with “manual proxy configuration” (IE and Forefox)
Well. There is no way to receive authorization request at the beginning. Proxy work fine if I introduce a new role for particular domain (dansguardian present correct alert page) but no auth request at all ! Seem that proxy ignore "transparent" flag and work only in transparent mode . I installed a WM with zentyal to evaluate the problem with another windows WM. Only the same problem. I read about this on a recent "ticket" but staff was unable to reproduce the situation on their machine (so ticket was closed)

There are some setting to apply in configuration that I have missing (I think so), to enable authorization request from squid ?
How do I solve this ? There is a specific document to read about ?

I hope that everything is clear (with my English)

Thank

[christian]

There are some setting to apply in configuration that I have missing (I think so), to enable authorization request from squid ?
How do I solve this ? There is a specific document to read about ?

No problem with your English. At least as good as mine 
Did you read this already?

[sudel]

Yes I did. I'm really frustrated. I don't know how to solve the problem. I've installed all avaiable package and cups (666) and Zarafa (8080) ask for authorization popup.
Nothing to do with http proxy (3128).

Thanks for reply.

[christian]

I don't understand why you refer to Zarafa or cups... anyway...
Regarding proxy, as you do understand that it can't be transparent, is it also clear to you that you have to apply profil requesting authentication ?
I can't help with 3.2 as I'm still running 2.2 but I assume authentication will be required only if you set proxy to rely on rule that is based on user or group membership.

I remember when I gave a quick look some time ago that it looked quite confusing... at least to me 

[sudel]

In 3.x, profile rule "authorize and allow", "authorize and deny" is deprecated (so I understand in documentation).
I only be able to select "allow", "deny" or "apply filter" (apply filter from dansguardian settings). If I insert a new rule to be applied to a group or a network object, I've only those three options to associate.
I've missing something else ?
Bye

[christian]

But did you test it ?
If you apply rule associated to "group", you should be prompted for authentication isn't it? (of course, for network object, this is not relevant).

[sudel]

I've tried several configuration rule. The most relevant was next one:
- deny from any - all time
- apply filter for group all time (I've just created a group with 2 user to apply rule)

Can somebody post a typical basic and simple configuration to anable authentication for proxy please ?

Thanks again for patience

[christian]

The only relevant question, at this stage, if I refer back to your original post is: "when setting group based" rule, are you prompted for authentication ?

[sudel]

I'll try again soon and will post here my policy configuration rule.
Thanks

[BrettonWoods]

I am just getting used to the new 3.2 and all seems well. From my woes with 3.0 I remember that the proxy address needs a FQDN or it doesn't work. So host.domain:port.

I am setting up the network client side tonight and proxy is one of the things I will be aiming at.

The SSO is a kerberos method so it requires all the domain to be correct. Also the group settings are the same.
With 3.0 I gave up and used group policies to set the proxy so that admins bypassed and users had a single filter.

That is prob how I will operate it again but will have a go with the groups.

Lol, last time a member of staff commented on that porn in the work place isn't appropriate. My reply that I am testing the proxy filters didn't cut any weight. Oh the woes of a sysadmin.

[sudel]

I solve the problem.
I'll add only a user and join it to "domain admin". In this case only transparent proxy !

I've to add another group more than built-in. In this case auth prompt appear as well.
So, to enable authentication in http proxy is necessary to create at least one new Group, joining che users already present. I've now possibility to filter every group as needed through authentication.

Thanks for yours answers.
Bye

[christian]

obviously, if you join "Microsoft like" domain and enable SSO, you will never be prompted for authentication 
Also notice that there perhaps a pending bug: once you have enabled transparent proxy, even if you disable it, redirect at FW level still works. To be confirmed.

So, I'm pretty glad that, although I'm not running 3.2, my guess about settings was correct: relying on group membership forces authentication   

[BrettonWoods]

Just one thing as we where on the topic.

Once you have changed all users to specific groups then authentication is required.

If you tick SSO you get the authentication request but then can not log on.

Is there anything more for SSO to work?

[jopeme]

I have similar problem but i don't need squid authentication. I only need go out to internet from clients. A new installation of zentyal with default parameters, with no users and it always works in transparent mode. I have tried to install from zero zentyal 3.2 three times and always it happen.