Author Topic: Proxy filter (Read 3406 times)

matias-holder · « **on:** July 18, 2011, 07:48:05 pm »

Hello, my name is Matias and I'm recently in the Linux community, I am very excited about creating a server Zentyal and I have some problems. where I work i have to perform filtering of web pages for employees ,as are few computers we have in mind this:
Create a proxy server, and block certain pages , we do not need to create distinction to who we filter, the emplyees that will have configured the proxy will all be blocked with the same pages and who that dont have proxy will use internet without restrctrions.
I formatted a machine with Zentyal, configure the proxy, I test it and it is working. Then when trying to filter the pages, first i try without creating objects and simply went to filter profiles, there I put the list of blocked domains and http proxy check the option to filter. on another PC with the proxy set i test it and had free access . Then I tried to put in general (in http proxy) that denies all, coming to the PC configured with the proxy appears entirely blocked. I also tried creating an object and assigning that object a policy object which takes the treacherous filter created with the option of filtering but still not working. In short I can not find a way in which only certain pages are blocked, look for tutorials and understand that I am following the same procedure except that the end does not work. if it matters i am avoiding to creat groups in zentyal and relate this to our domain server 2003 server, I understand that even so it should work.
If someone could help I would greatly appreciate.
thanks
Matias
pd Sorry for the bad english

yokobr · « **Reply #1 on:** July 18, 2011, 08:31:25 pm »

Man, SAME question. I wonder if it's possible

Christophe · « **Reply #2 on:** July 18, 2011, 08:35:53 pm »

Hello Matias,

To use Http proxy in transparent mode just with default profile :

1/ Create different objet For example A = Full Acces ; B = Filter
2/ Configure the defaut profile with your filter
3/ Enable transparent mode, and Filter in Proxy => General
4/ Go to Proxy => Objects Strategy, and set Always allow for Object A.

That's all

Keep in mind, https page won't block

matias-holder · « **Reply #3 on:** July 18, 2011, 09:22:08 pm »

Thank you for your help but it didnt works, if this mean something i have to add that we think to use this server only for this purpose, it only have one network card and is conected after a switch like all the host computers

Christophe · « **Reply #4 on:** July 18, 2011, 09:42:14 pm »

What do you want to do exactly ? Could you explain.

matias-holder · « **Reply #5 on:** July 18, 2011, 10:55:05 pm »

I have 15 computer, all use ubuntu i a windows 2003 server network, i want to block some urls like facebook, hotmail, etc on 10 machines and let the another five to use internet without restrictions, the idea is to configure a zentyal proxy server in the machines that will be restricted(this is working) and with zentyal block some pages(this not), now i only can or block all the pages or allow everything, the option filter isnt working
Thank you very much

Christophe · « **Reply #6 on:** July 18, 2011, 11:04:19 pm »

i do exactly the same thing and it works. But you need to register 2 objects with static IP.

For exemple Object : Adminmachine => save 5 IP of your 5 machine
Usermachine => save 10 IP of your 10 machine user
Dont use Space in object name

after go in http proxy and use like that :

Quote from: Christophe on July 18, 2011, 08:35:53 pm

Hello Matias,

To use Http proxy in transparent mode just with default profile :

1/ Create different objet For example A = Full Acces ; B = Filter
2/ Configure the defaut profile with your filter
3/ Enable transparent mode, and Filter in Proxy => General
4/ Go to Proxy => Objects Strategy, and set Always allow for Object A.

That's all

Keep in mind, https page won't block
[/quote

stuartiannaylor · « **Reply #7 on:** July 18, 2011, 11:43:21 pm »

I have a problem with the current proxy set up. I did set group policies set but have moved back to transparent mode with a singular default filter.
The reason is that I don't like the prompts to join the proxy and send clear text username passwords.

Internet explorer uses NTLM in a domain for authentication and if anyone can send details how to set up the client end for NTLM auto authentication then I would be most interested.

Otherwise I have been having a serious look at NuFW with its single sign on mechanisms that would provide great additions to our intranet and various services and the ability for user level filtering.

In fact looking at NuFW think I will put it on the wish list as it would make a great addition to the Zentyal setup.
http://www.nufw.org/

stuartiannaylor · « **Reply #8 on:** July 19, 2011, 04:57:46 pm »

Erm great addon but did find out the community license limits to 1000 users

matias-holder · « **Reply #9 on:** July 21, 2011, 03:23:13 pm »

Quote from: Christophe on July 18, 2011, 11:04:19 pm

i do exactly the same thing and it works. But you need to register 2 objects with static IP.

For exemple Object : Adminmachine => save 5 IP of your 5 machine
Usermachine => save 10 IP of your 10 machine user
Dont use Space in object name

after go in http proxy and use like that :

Quote from: Christophe on July 18, 2011, 08:35:53 pm
Hello Matias,

To use Http proxy in transparent mode just with default profile :

1/ Create different objet For example A = Full Acces ; B = Filter
2/ Configure the defaut profile with your filter
3/ Enable transparent mode, and Filter in Proxy => General
4/ Go to Proxy => Objects Strategy, and set Always allow for Object A.

That's all

Keep in mind, https page won't block
[/quote

Thank you but i did this, i create an object called lan that have my other pc(that have dhcp but take the ip that have at this moment, the dhcp can be a problem?)
And you say to use transparent proxy, is this necesary? i was thinking that i will configure manually the proxy to the machines that will be limited in web navigation and the others that have full acces dont need the proxy.
when you say 2/ Configure the defaut profile with your filter, you mean to go to object policy and create new object policies?
Thank you

Christophe · « **Reply #10 on:** July 21, 2011, 03:39:55 pm »

Quote

Thank you but i did this, i create an object called lan that have my other pc(that have dhcp but take the ip that have at this moment, the dhcp can be a problem?)
And you say to use transparent proxy, is this necesary? i was thinking that i will configure manually the proxy to the machines that will be limited in web navigation and the others that have full acces dont need the proxy.
when you say 2/ Configure the defaut profile with your filter, you mean to go to object policy and create new object policies?
Thank you

I resume :
You have 2 groups :
1 with 5 admin machine (full access)
1 with 10 user machine (filter)

In objet you have created 2 object,each one with ip machine and macadress
usermachine : you have 10 machine from 192.168.1.1 to 192.168.1.9
adminmachine : you have 5 machine from 192.168.10 to 192.168.1.14

go to dhcp module , and set static ip for both object.

restart your machine.

go to proxy,
Enable transparent mode, and Filter in Proxy => General
Go to Proxy => Objects Strategy, and set Always allow for Object adminmachines.

matias-holder · « **Reply #11 on:** July 21, 2011, 04:49:15 pm »

I am adding the mac adress and the zentyal says that i input a invalid value for Mac address(in adding a new member for a object) , i try to put with out - and with (i try 001cbf174f4d and 00-1C-BF-17-4F-4d). When i put the sub net adress in 24 (i have a class c internal ip, 255.255.255.0)it says that i can only use mac adresses with hosts, when i put the sub net in 32 (with my internal ip for one machine for testing 10.2.1.229)then appear the message that the input value for mac adress is invalid.
Thank you for your patience.

Christophe · « **Reply #12 on:** July 21, 2011, 05:47:29 pm »

to set an ip fix in objects :

macadress must be : aa:aa:aa:aa....etc

ip (exemple)= 192.168.1.38/32 (because it's an ip alone)

also, you can set object for a network like that 192.168.1.0/24, but in your case, you have to use the first case

matias-holder · « **Reply #13 on:** July 21, 2011, 07:27:20 pm »

Well, i create an object with my pc being a member with its mac and ip adress, then create an object policy that says to filter and use the filter profile where i put some pages to be block. i check the http proxy general and it has the transparent proxy activated and is set to filter. The filter isnt working, i can acces to the pages that is supossed to be block.
The firewall packet filter do something in the internet filter? in the beginning the proxy dont work (the pc that have the proxy configured cant acces to the internet)and i change some firewall rules(create rules in filtering rules from external networks to zentyal that is set to acept any service from any source) and if i try to delete this rule the proxy stop working(dont have internet in the host machine)
Thanks

Christophe · « **Reply #14 on:** July 21, 2011, 08:06:51 pm »

Ok.

before continue, could you check the ip adress of your machine with ip you set in znetyal. Do you set your dhcp in static lease for this object ?

You dont need adjust any rules in the firewall.

Last thing, are you sure you enable (by checkbox) the trasnparent proxy.

You dont need add url in the filter, just enable content filter in defaut filter profile

Cookies usage

Author Topic: Proxy filter (Read 3406 times)

matias-holder

Proxy filter

yokobr

Re: Proxy filter

Christophe

Re: Proxy filter

matias-holder

Re: Proxy filter

Christophe

Re: Proxy filter

matias-holder

Re: Proxy filter

Christophe

Re: Proxy filter

stuartiannaylor

Re: Proxy filter

stuartiannaylor

Re: Proxy filter

matias-holder

Re: Proxy filter

Christophe

Re: Proxy filter

matias-holder

Re: Proxy filter

Christophe

Re: Proxy filter

matias-holder

Re: Proxy filter

Christophe

Re: Proxy filter