How is HTTP proxy set and used in your gateway?

Transparent proxy + firewall rules for HTTPS
18 (75%)
Explicit (non transparent) proxy
4 (16.7%)
0 (0%)
1 (4.2%)
1 (4.2%)
0 (0%)

Total Members Voted: 21

Author Topic: How are you using HTTP proxy?  (Read 5470 times)

Sam Graf

  • Guest
Re: How are you using HTTP proxy?
« Reply #30 on: September 17, 2011, 02:47:48 pm »
I think my point of view is that a transparent proxy is a consumer or a mobile approach to proxies, and I think that the discussions here tend to miss this whole aspect of the conversation. Admins may still be able to argue that they make the call, but SMB technology deployment is heavily influenced by consumer-think and mobile-think through end users. If nothing else, the combination of Apple's growth and their long tradition of keeping technology as transparent as possible to the end user is changing expectations. And we SMB admins, sooner or later, are going to have to acknowledge those expectations.

I personally get confused by the range of views often presented here, keeping me from understanding where the center of gravity is in the Zentyal community. Some people won't think of asking mom to use a PPTP connection on her iPad. But it seems like expecting mom to change her iPad's proxy settings on the fly might be the right thing to do ... :o ;D

Anyway, for once I wanted to participate in the Zentyal-specific technical side of the proxy discussion. Consider the dilemma I face: We use a transparent proxy because I have empirical evidence that asking staff to master changing their own proxy settings on mobile devices (including regular old notebook computers) amounts to asking a lot of mom. But it appears that Zentyal and Wyse zero clients don't play nicely together in a transparent proxy arrangement. I end up pretty much all by myself (sniff) lobbying for a Zentyal design approach that looks to the future of the SMB market, where big guns are promoting virtulaization and private clound technology as affordable options during the impending XP-EOL-driven refresh cycle.

These vendors see business investment dollars coming their way if they can spread the word, so much so that their reps even talk to small operations like ours and even communicate with big distributors on our behalf for special pricing. But Windows-powered servers are still the understood infrastructure platform, not Linux-based solutions in general and not Zentyal in particular. Zentyal "needs" to allow, at the GUI level, for selective proxy bypass, for DHCP options, and whatever other roadblocks might come up to transparent Zentyal implementation in SMBs.

So my contribution to this discussion is that weighing the merits of proxy transparency is an excellent idea, and it is absolutely true that a knowledge of the pros and cons makes for a much wiser admin. But ... let's not make the mistake of thinking a self-contained a-contextual discussion of transparent and non-transparent proxies is the end of the conversation. The knowledge gained is vital, but real-world SMB admins work in a context that is not so neatly confined to proxy pros and cons. As a real world admin trying to keep technology as transparent to my "customers" as I can while dealing with business and budget realities, I am faced with trying to depoy virtualization technology that understadably assumes a Windows environment while increasing our use of mobile and road warrior solutions but trying to retain Zentyal, which almost entirely lacks the GUI tools I need to make things work even when the underlying technology doesn't. And I'd like maybe even to take a day off once in a while during all this ...

I dunno ... I'm a little tired and just a little guy in a rapidly changing SMB market. I probably should just throw in the towel and do what the majority are doing on the infrastructure side of things and go camping more often ... I'm getting too old to do much else. :)


  • Guest
Re: How are you using HTTP proxy?
« Reply #31 on: September 17, 2011, 03:06:41 pm »
Sam, I think we are really in line with the points, not with the conclusion  ;D

Goal is not to ask mom to change any settings, this I do share.  ;)
Goal is not to ask SMB admin to implement or even understand complex technical stuff. I'm fully in line with this too.  ;D

So what? It has to be simple from an end-user standpoint. This is what I share with you.
Does it mean that technical implementation behind has to be the "transparent" one? Oh no!!!  :-\

Have a look at Apple documentation http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf and you will surely notice that Apple's proposal for for proxy management is either manual (which is not practical, I share) or WPAD, BTW what I'm pushing for when it comes to use proxy in its most efficient way.

This is also the default value for Internet Explorer  ;)
I mean any IE browser will not require any single change.
So, what is my point at the end?

If Zentyal had included to HTTP proxy module all the (easy) stuff to automatically set WPAD instead of explaining the painful "firewall rules to permits HTTPS but not filter it", this debate would have even never be raised.
This is what I really mean  :-X :-X :-X

Still I do appreciate your effort to keep debate on the right side that is to ease SMB deployment. I target the same here, trust me  ;)

Sam Graf

  • Guest
Re: How are you using HTTP proxy?
« Reply #32 on: September 17, 2011, 03:17:39 pm »
My boss brings her company-supplied iPad to work. I may have some control over what happens there :) . But then she grabs a staffer (who also has a company-supplied iPad) and heads off to the local coffee shop to conduct a meeting that relies on both being able to use the coffee shop's free Wi-Fi connection. Obviously I have lost whatever control I had over the configuration requirements of these iPads. Now what?


  • Guest
Re: How are you using HTTP proxy?
« Reply #33 on: September 17, 2011, 03:22:35 pm »
hehe... nothing  ;D
If you set up WPAD infrastructure at the office, it will work and when she will go outside on location where it is believed that transparent proxy is best, it will work exactly the same.

I mean to say that is no proxy.pac file is found, then browser will behave as if no proxy was defined (indeed there is none in such case) and transparent proxy will be used.

do you really think that I'm use to change my proxy settings when I move with my laptop from hotel to airport then the office? No I don't except when I reach network where proxy must be set manually. Everything else is transparent.  8)

Sam Graf

  • Guest
Re: How are you using HTTP proxy?
« Reply #34 on: September 17, 2011, 03:31:56 pm »
Right. But we're not talking about you, but about Sam, who has multiple responsibilities, like almost every SMB admin he knows, and who wants to use Zentyal but does not have the time or the energy to hack it to make it work. He picked Zentyal in the first place, after all, on the strength of the promise of a Linux server for dummies.

So he reads the documentation you have graciously provided, understands as best he can the pros and cons, and then picks a transparent proxy anyway since that's his only practical, customer-friendly option, as far as he can tell. This isn't taking into account what could be, only what is, I admit. But I don't think I'm stretching reality too far in doing so.


  • Guest
Re: How are you using HTTP proxy?
« Reply #35 on: September 17, 2011, 03:50:14 pm »
No you are not stretching reality.
At least you made your choice understanding pros & cons, which was my initial goal  8)
If we stay on this, I do not try to convince you to change. It works and you're happy with this. So far so good and I don't see why I should push you forever to do something you don't want to do.

Zentyal documentation, although quite good, is lacking some inputs for decision making for people not understanding the technical stuff when components can be configured in different ways.

Having said that, if we discuss further technical aspects, then this is different and for sure I will react because I've my own standpoint and you know "transparent" approach is not the one I prefer  ;)

As a matter of conclusion, at least from my side, let me describe something to you:
- next time your boss will go outside and connect to network where WPAD is deployed (and therefore where there is no transparent proxy), in case her browser is not configured to check for proxy.pac, she will not be able to access internet  :( until she manually modify her browser settings... No I'm not trying to convince you  ;D
oh... I was joking because you are lucky: she is using iPad and Apple, according to what I read in the documentation, permits only either manual proxy or WPAD. Still my point is valid with any browser configured with "no proxy" because of transparent proxy at the office, at home or wherever you want.

TTFN. cheers,  :-*

Sam Graf

  • Guest
Re: How are you using HTTP proxy?
« Reply #36 on: September 17, 2011, 04:16:58 pm »
If it were down to hacking only one thing to make some special case work properly under Zentyal, then Sam could and should just sit down and "learn Linux" and get over himself ;D. I don't consider proxy management or UPS managment, for example, to be special cases in an SMB world. There will be (and should be) some segment of the Zentyal community that will be inclined to manually fix whatever Zentyal lacks. But if we, as a community, want to begin a serious "spread the word" initiative, we need to be able to bring as few caveats and disclaimers to the conversation possible.

Soon, we will have, if I can swing it with management, paid Zentyal subscriptions in three geographically separate locations. Please understand that I need to make a "it just works as a scalable cost effective solution that doesn't depend on Sam's hacking ability" business case. Management, right or wrong from a technical point of view, is a technology consumer first and foremost and is looking at the path of least resistance as part of the cost effectiveness calculation. If a more expensive solution, even a significantly more expensive solutions transparently supports key business initiatives (technological and otherwise) and does so people-independently, then the purchase decision will go that way. In the somewhat cloistered community here, where values put on open source solutions in general are high, that kind of business transaction may make no sense. Even if true, I can't help that. And I don't think I'm the only admin in the world--or, more importantly, in Zentyal's potential market--in that situation.

I have begun to sound like a broken record. I have two weeks at work to make whatever case I'm going to make and I need to prevent that process from spilling over here inordinately, so I've had my say. Back to staying focused on supporting other Zentyal users, real life, and maybe, if the weather holds, one more camping trip for the year. ;D


  • Guest
Re: How are you using HTTP proxy?
« Reply #37 on: September 17, 2011, 04:19:20 pm »
I have to dissagree, the community version should be hackable. Firstly an open system means open. It should represent the body of feedback the community (users) find advantageous. Organic growth through usage is very important and how we use Zentyal should dictate direction.
I just believe that "Highly intergrated server of any platform for dummies is an extremely polished product" maybe you are talking about an enterprise product. Or be resigned that a community will support your requirements.

More of a question than a dissagreement?


Sam Graf

  • Guest
Re: How are you using HTTP proxy?
« Reply #38 on: September 17, 2011, 04:36:51 pm »
I agree that the product should stay open. eBox/Zentyal is a better product today because people hacked it and contributed their work back to the product.

At the same time, I think I should be able to say that some things aren't special case but also still missing from Zentyal. I should also be able to say that subscribers should not always have to hack, or pay to have hacked, Zentyal to have missing items included. It's fine to have fund raising campaigns and community contributions to grow the product, absolutely; but I cannot imagine that it is always appropriate to try to make a business case for Zentyal implementation that always includes a hacking-is-required to use this product now and/or into the future disclaimer. That kind of thing is common to enterprise support contracts, not SMB boxed solutions. Even Citrix told me, "if you find it not working for you, we agree that it should be, and we'll fix it." They are thinking in terms of leveraging the knowledge they gain from the field into a better product and multiple happy paying customers. :)


  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 862
  • Karma: +58/-0
    • View Profile
Re: How are you using HTTP proxy?
« Reply #39 on: September 17, 2011, 09:39:47 pm »
Sam,  I too feel your pain.  I am in charge of a department of three, me, myself, and I.   I have made the case to my upper management that it is a matter of "when you pay" vs "if you pay".  Open source allows you to defer the costs.  At some point in the future you will either

a) require the help of an outside vendor
b) hire a replacement admin

Zentyal gives the typical PHB the best fighting chance of keeping things running while he picks between the two options above.  As you well know Sam,  being "THE ADMIN"  forces you to know the details of quite a few technologies that are normally spread over many specialists in a large organisation.  Our datacenter for instance two largish servers (16 core,48g ram)  to support several virtualised servers.  We use Zentyal for the gateway/infrastructure while using Elastix for the telephony aspects.  Add in a few more VM's for vertical apps and Document management and we are into the "pure magic" range for the typical PHB.  The point I am trying to make is tha eventually the choice listed above will be forced on your boss.  Wouldn't it be easier to establish the relationship now rather than later?

To stay on topic:   I am adding support for tablets with the rollout of Zentyal 2.2.  I intend to require VPN access to interoperate with our software.  Otherwise surfing/internet is best handled directly to the wireless carrier.  In the office it will continue to be via transparent proxy.  I am also toying with the idea of using the captive portal application to control access to the internet.