Enforce clients to use the proxy server

[asaidi]

I notice that a client using firefox is able to bypass the proxy server by choosing "use system proxy settings" under network configuration settings.  A client can disable the manual proxy server configurations and be able to browse without any limitations.

In ebox, I enabled "transparent proxy" to try and force the clients to use ebox.  Ebox tells me "Transparent proxy option is not compatible with authorization policy." I think this is because my default policy  which is "Authorize and filter."

How do I solve this problem? Thanks.

[Javier Amor Garcia]

Add a rule to firewall that forbids htpp connection to your networks computers.

[asaidi]

I'm sorry, I'm a newbie.  How do I do that?

[christian]

Your question expects at "2 parts" answer:

- you can prevent user to access internet by blocking HTTP, HTTPS, FTP etc protocols at firewall level for internal network(s), this is done adding new rule with these protocols and "deny" behavior.
- you should be informed that transparent proxy is not compatible with "authentication and filtering" at proxy level. I guess reason is that filtering being dependent on profiling behavior and because there is no "default profil" that could be applied to any "non authenticated" access, they decided to disable such feature.

But is "transparent proxy" really mandatory for you?

If you remove transparent proxy and set firewall rules as described above, then users changing their browser settings will not have access anymore to internet, thus they will revert back to "std" config and you will reach your goal (or at least what I guess is your goal).

Does it clarify the matter?

[Javier Amor Garcia]

I guess reason is that filtering being dependent on profiling behavior and because there is no "default profil" that could be applied to any "non authenticated" access, they decided to disable such feature

No, the problem is that the proxy authentication relies in the HTTP authentication and it could not be used in transparent mode. It has nothing to do with  profiles.

[christian]

No, the problem is that the proxy authentication relies in the HTTP authentication and it could not be used in transparent mode. It has nothing to do with  profiles.

Is it because of the misunderstanding of transparent proxy versus intercepting proxy? I still don't understand why proxy should not be able to send back HTTP 407 to clients in "intercepting" mode even if client is not configured to use proxy. Is it a limitation client side?

This aside, I realize that my "guessing" was wrong because filtering in "transparent" proxy mode is available. 

[asaidi]

Thanks Christian, thanks Javier.  The problem is solved.  I denied http access for internal networks to the internet in the firewall.