Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: matias-holder on July 18, 2011, 07:48:05 pm
-
Hello, my name is Matias and I'm recently in the Linux community, I am very excited about creating a server Zentyal and I have some problems. where I work i have to perform filtering of web pages for employees ,as are few computers we have in mind this:
Create a proxy server, and block certain pages , we do not need to create distinction to who we filter, the emplyees that will have configured the proxy will all be blocked with the same pages and who that dont have proxy will use internet without restrctrions.
I formatted a machine with Zentyal, configure the proxy, I test it and it is working. Then when trying to filter the pages, first i try without creating objects and simply went to filter profiles, there I put the list of blocked domains and http proxy check the option to filter. on another PC with the proxy set i test it and had free access . Then I tried to put in general (in http proxy) that denies all, coming to the PC configured with the proxy appears entirely blocked. I also tried creating an object and assigning that object a policy object which takes the treacherous filter created with the option of filtering but still not working. In short I can not find a way in which only certain pages are blocked, look for tutorials and understand that I am following the same procedure except that the end does not work. if it matters i am avoiding to creat groups in zentyal and relate this to our domain server 2003 server, I understand that even so it should work.
If someone could help I would greatly appreciate.
thanks
Matias
pd Sorry for the bad english
-
Man, SAME question. I wonder if it's possible :(
-
Hello Matias,
To use Http proxy in transparent mode just with default profile :
1/ Create different objet For example A = Full Acces ; B = Filter
2/ Configure the defaut profile with your filter
3/ Enable transparent mode, and Filter in Proxy => General
4/ Go to Proxy => Objects Strategy, and set Always allow for Object A.
That's all
Keep in mind, https page won't block
-
Thank you for your help but it didnt works, if this mean something i have to add that we think to use this server only for this purpose, it only have one network card and is conected after a switch like all the host computers
-
What do you want to do exactly ? Could you explain.
-
I have 15 computer, all use ubuntu i a windows 2003 server network, i want to block some urls like facebook, hotmail, etc on 10 machines and let the another five to use internet without restrictions, the idea is to configure a zentyal proxy server in the machines that will be restricted(this is working) and with zentyal block some pages(this not), now i only can or block all the pages or allow everything, the option filter isnt working
Thank you very much
-
i do exactly the same thing and it works. But you need to register 2 objects with static IP.
For exemple Object : Adminmachine => save 5 IP of your 5 machine
Usermachine => save 10 IP of your 10 machine user
Dont use Space in object name
after go in http proxy and use like that :
Hello Matias,
To use Http proxy in transparent mode just with default profile :
1/ Create different objet For example A = Full Acces ; B = Filter
2/ Configure the defaut profile with your filter
3/ Enable transparent mode, and Filter in Proxy => General
4/ Go to Proxy => Objects Strategy, and set Always allow for Object A.
That's all
Keep in mind, https page won't block
[/quote
-
I have a problem with the current proxy set up. I did set group policies set but have moved back to transparent mode with a singular default filter.
The reason is that I don't like the prompts to join the proxy and send clear text username passwords.
Internet explorer uses NTLM in a domain for authentication and if anyone can send details how to set up the client end for NTLM auto authentication then I would be most interested.
Otherwise I have been having a serious look at NuFW with its single sign on mechanisms that would provide great additions to our intranet and various services and the ability for user level filtering.
In fact looking at NuFW think I will put it on the wish list as it would make a great addition to the Zentyal setup.
http://www.nufw.org/
-
Erm great addon but did find out the community license limits to 1000 users
-
i do exactly the same thing and it works. But you need to register 2 objects with static IP.
For exemple Object : Adminmachine => save 5 IP of your 5 machine
Usermachine => save 10 IP of your 10 machine user
Dont use Space in object name
after go in http proxy and use like that :
Hello Matias,
To use Http proxy in transparent mode just with default profile :
1/ Create different objet For example A = Full Acces ; B = Filter
2/ Configure the defaut profile with your filter
3/ Enable transparent mode, and Filter in Proxy => General
4/ Go to Proxy => Objects Strategy, and set Always allow for Object A.
That's all
Keep in mind, https page won't block
[/quote
Thank you but i did this, i create an object called lan that have my other pc(that have dhcp but take the ip that have at this moment, the dhcp can be a problem?)
And you say to use transparent proxy, is this necesary? i was thinking that i will configure manually the proxy to the machines that will be limited in web navigation and the others that have full acces dont need the proxy.
when you say 2/ Configure the defaut profile with your filter, you mean to go to object policy and create new object policies?
Thank you
-
Thank you but i did this, i create an object called lan that have my other pc(that have dhcp but take the ip that have at this moment, the dhcp can be a problem?)
And you say to use transparent proxy, is this necesary? i was thinking that i will configure manually the proxy to the machines that will be limited in web navigation and the others that have full acces dont need the proxy.
when you say 2/ Configure the defaut profile with your filter, you mean to go to object policy and create new object policies?
Thank you
I resume :
You have 2 groups :
1 with 5 admin machine (full access)
1 with 10 user machine (filter)
In objet you have created 2 object,each one with ip machine and macadress
usermachine : you have 10 machine from 192.168.1.1 to 192.168.1.9
adminmachine : you have 5 machine from 192.168.10 to 192.168.1.14
go to dhcp module , and set static ip for both object.
restart your machine.
go to proxy,
Enable transparent mode, and Filter in Proxy => General
Go to Proxy => Objects Strategy, and set Always allow for Object adminmachines.
-
I am adding the mac adress and the zentyal says that i input a invalid value for Mac address(in adding a new member for a object) , i try to put with out - and with (i try 001cbf174f4d and 00-1C-BF-17-4F-4d). When i put the sub net adress in 24 (i have a class c internal ip, 255.255.255.0)it says that i can only use mac adresses with hosts, when i put the sub net in 32 (with my internal ip for one machine for testing 10.2.1.229)then appear the message that the input value for mac adress is invalid.
Thank you for your patience.
-
to set an ip fix in objects :
macadress must be : aa:aa:aa:aa....etc
ip (exemple)= 192.168.1.38/32 (because it's an ip alone)
also, you can set object for a network like that 192.168.1.0/24, but in your case, you have to use the first case
-
Well, i create an object with my pc being a member with its mac and ip adress, then create an object policy that says to filter and use the filter profile where i put some pages to be block. i check the http proxy general and it has the transparent proxy activated and is set to filter. The filter isnt working, i can acces to the pages that is supossed to be block.
The firewall packet filter do something in the internet filter? in the beginning the proxy dont work (the pc that have the proxy configured cant acces to the internet)and i change some firewall rules(create rules in filtering rules from external networks to zentyal that is set to acept any service from any source) and if i try to delete this rule the proxy stop working(dont have internet in the host machine)
Thanks
-
Ok.
before continue, could you check the ip adress of your machine with ip you set in znetyal. Do you set your dhcp in static lease for this object ?
You dont need adjust any rules in the firewall.
Last thing, are you sure you enable (by checkbox) the trasnparent proxy.
You dont need add url in the filter, just enable content filter in defaut filter profile
-
I check the ip adress of my pc and is the same that i put in an object of zentyal(cmd ip config in windows ).
I have a windows 2003 server and i reserve this ip for this pc with him mac adress in the dhcp server.
I chek again and i have the transparent proxy activated(the checkbox).
In the profile(filter profile default) i select content filter threshold in very strict and in domain filtering i add some pages for testing like a newspaper from argentina that is http (not https) that should block.
Thanks
-
Where is your gateway : Win2003 or Zentyal ?
Zentyal has to be your gateway for transparent proxy
-
my gateway is windows 2003. I dont want transparent proxy like i said. i want to manually configure the machines that will have the internet restricted. The idea is that the zentyal only works for this purpose. Can i do this with zentyal?
Thanks
-
I'm sorry ! i understood you wanted transparent proxy.
you have to disable (uncheck transparent proxy)
and manage with group policy
and in your machines (web browser), set adress of your proxy and the port (3128, i think)
for more detail, have you read this doc : http://doc.zentyal.org/en/proxy.html
-
Yes , i did this things, i have my pc with the proxy configured that have the port 8080(set it in zentyal) and with this i have internet(the proxy is working) if i put in http proxy general to always deny i dont have internet (it works) but if i want to restrict only some sites it doesnt works. i Readed this docs.
I dont want to use the groups because a lot of employees dont use their credentials to log on(use ubuntu) so i think that it wouldnt work, i only want to that all the machines that are conected to the proxy(manually configured) cant enter to facebook, hotmail ,and some other pages. The others machines will conect without the proxy and have to access the internet without restriction.
Thanks
-
ok, your proxy works, it's a good thing.
in proxy http => general => did you set your filter to filter
did you set group policy for admin group ?
-
i dont have any group, i have to create one? . i dont want to transfer the active directory users to the zentyal because it wouldnt work(like i said the employees dont use their credential to log on)
-
there is something i dont understand :
1. if you dont want use credentials users, why not use transparent mode ?
2. if someone unset proxy in web browser, are you sur you continue block http ?
i find another doc http://trac.zentyal.org/wiki/Documentation/Advancedproxy
i use tranparent mode (easier to manage). I need read more before continue with you
-
it could be difficult to manage a none transparent proxy without manage user !
-
1. if you dont want use credentials users, why not use transparent mode ?
2. if someone unset proxy in web browser, are you sur you continue block http ?
because we dont want to put something between some machines and internet(is not my decision)
The idea is to remove the default gateway in the host machines so if they remove the proxy configuration in the browser they wouldnt have internet at all(tested and it worked this way)
Can i create a transparent proxy that only some computers use and others conect directly to the router?
Thanks
-
Can i create a transparent proxy that only some computers use and others conect directly to the router?
Unfortunately, i think no, because you firewall will redirect all http request to 3128 in trasnparent mode.
You can do that, only if you use another network.
but in transparent mode, you can manage filter also, for admin and user machines.