OK, I understand better.
But this is not
less secure than current design isn't it?
I mean current design uses router as default gateway
So we have to guess that some components are deployed there to ensure minimum amount of control
Well, to make a long story short, using proxy in transparent mode when proxy is not network default gateway is a bit of non-sense.
Using Zentyal as
http proxy only is somehow waste of resource (running Squid + squidguard will be much more efficient but this all depends on your hardware)
If proposed design is mandatory because of whatever constraint, the only single efficient way is to:
- block HTTP & HTTPS port at router level for the whole subnet but Zentyal
- declare Zentyal as proxy at browser level, either manually or using WPAD mechanism.
My $0.02