Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: christian on September 07, 2011, 10:13:15 am

Title: How are you using HTTP proxy?
Post by: christian on September 07, 2011, 10:13:15 am
As it looks like there is a lot of confusion with use of HTTP proxy in either transparent or non transparent mode, especially for what concerns the pros and cos of each approach, I feel it could be interesting to learn how you guys are using this feature.

This may also trigger feature request for integration of mechanisms aiming to ease some deployment (notice search request has already been done).

WPAD and proxy.pac stuff has already been discussed in the past and is discussed in Portuguese and Spanish section too.

Does it ring any bell for you or is it something totally unknown and without any interest  ???
Title: Re: How are you using HTTP proxy?
Post by: jsalamero on September 11, 2011, 11:09:06 pm
Very interesting poll, thanks christian!
Title: Re: How are you using HTTP proxy?
Post by: Escorpiom on September 12, 2011, 06:56:10 am
I should add that my firewall denies any connection except specified network objects with a mac/ip address binding. Those allowed are also allowed https (any-rule)
Proxy has been set up in a similar way, deny all except specified network objects.

pac and pad stuff is like Chinese to me, will read up on it later.

Cheers.
Title: Re: How are you using HTTP proxy?
Post by: christian on September 12, 2011, 07:20:45 am
I can easily understand that you don't know about .pac and  wpad if you don't know what it is.
I believe quite a lot of Zentyal users don't know it, reason why I wrote a kind of "How To" explaining concept and a bit of implementation.
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign (http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign)

Notice, and I would like to make it very clear, that I'm not pushing for anyone in one direction rather than the other  :)

The idea is really to use proxy design fitting your needs and to understand the side effect of each approach.
Title: Re: How are you using HTTP proxy?
Post by: vshaulsk on September 12, 2011, 04:07:18 pm
Thanks for the documentation Christian.  I am going to give this a try..... having automatic proxy configuration on the client side is exactly what I need !!!!
Title: Re: How are you using HTTP proxy?
Post by: christian on September 12, 2011, 04:08:12 pm
Although there is only few votes, it's very clear that preference is for transparent proxy  :)
This explains somewhat questions and debate we had and also kind of misunderstanding  ::) I need to open my chakras  :P

I'll keep this pool for a couple of week more but doubt figures will really change.
Title: Re: How are you using HTTP proxy?
Post by: christian on September 12, 2011, 04:30:44 pm
I am going to give this a try.....

Easiest implementation is to use DNS A or CNAME record assuming your clients are configured to use internal DNS.
This done, creating virtual host and publishing wpad.dat file is a matter of minutes  ;)

Let us know how it works for you.
Keep also in mind that FW rules for HTTPS are no more required  8)
Title: Re: How are you using HTTP proxy?
Post by: vshaulsk on September 12, 2011, 04:35:53 pm
Yes... I will be reinstalling my home server once the final release of Zentyal 2.2 comes out later this week.  During that install I will setup DNS properly and try using your outlined method for proxy.  Hopefully by next week I will let you know how this worked out for me !!
Title: Re: How are you using HTTP proxy?
Post by: vshaulsk on September 13, 2011, 04:58:38 am
Christian.... in your instructions I have a couple of questions.

Do I use specifically wpad.domain.com or do I change the domain.com to my personal domain?

Also I am not very familiar with aliases in DHCP so I am not sure what to do there.

Thank you !!!
Title: Re: How are you using HTTP proxy?
Post by: stuartiannaylor on September 13, 2011, 06:23:08 am
 ::) Me again. Firstly with MS Exploder I have had some problems with wpad and pac files. I have know idea why this should work but going into the advanced options and setting Exploder advanced option to reset to default fixed all.
I remember scratching my head for a while on that one. New installs work, some of my clients worked and a few didn't. Thing is I was absolutely sure none of the options had been changed from default so whatever it does I am totally unsure.

My best tip is to use Firefox but like many I am a constantly harrased sys admin :). Believe it or not we run courses for deprived, unemployed and people with special needs. Strangely some of the tutors will only use Exploder for tutorials.

I have tried the argument that possibly training the dissadvantaged through commercial software possibly isn't the best way to go. To be honest a lot of the trainers basic qualifications are that they have completed the training course that they are training. These are all UK government led iniatives and personally the quality and context of the courses are dreadfull. Anyway I am a firefox man.

As to wpad or pac files the contents is the simplest piece of javascript you will ever come across and all you need to do is modify a sample and change the port details. This then gets copied to the root www apache directory. This has all been much better documented than this dribble. I just wanted to check if my memory was playing tricks on me and that I have a feeling somehow it worked without a DNS entry. I could swear I just got nervy that all the web literature mentioned either a DNS or DHCP method and with Zentyal the DNS method is easier.

I have a static IP and a domain registered 123reg.co.uk only mentioned as there control panel is a simple. I didn't bother enabling the Zentyal DNS but just entered a cname of wpad which is added to the FQD. After using Zentyal for a while I do use the local DNS now which points to the local LAN of 192.168.x.x rather than my wan IP address which my 123reg.co.uk domainname points to. I just thought I would mention that as does anybody do the same? My website is now pulled from the local intranet or over the WAN depending on which side the client is.

Anyway lol sorry people but just a general discussion I did enable the proxy so that I could use group filters. We have public internet access so filters are very important. Some of you might want to stop social networking or dating or whatever ...
I have a public / staff roaming scenario and the group filters are great, there are a few things that need tweaking but they are seriously tight.

If you don't need group filters / object filters then I can't see any point than running in the standard transparent mode. No need for wpad or PAC, no need for any settings just run and go.

I did set up group filters as I wanted to set up a difference for staff, admins and users. Problem is that my understanding is that the only proxy authentication method is plain text. So on every new browser instance you are prompted for a username / password. This just seemed to cause annoyance so everybody is back to transparent using a strict filter.

SSO & Kerberos and whispers about post 2.2 have been heard so am I right in saying my preferred way of group filters without login boxes will become a reality from windows clients?

Also anyone want to touch on https and proxy / filtering as thats a bit of a bum aswell?

Stuart 
Title: Re: How are you using HTTP proxy?
Post by: christian on September 13, 2011, 07:11:58 am
Do I use specifically wpad.domain.com or do I change the domain.com to my personal domain?

Thank you for highlighting that my doc is not clear. I will try to fix it.
you have to create wpad.yourdomain and create an alias in DNS, not DHCP to resolve this virtual host; So if you do it on Zentyal, this is an alias attached to Zentyal host. If this is a new server, this is not an alias but host.
What has to be understood here is that "yourdomain" must match client domain name because discovery mechanism is based on client FQDN.
Title: Re: How are you using HTTP proxy?
Post by: christian on September 13, 2011, 07:35:40 am
Stuart,

Interesting inputs. I fully share that main point is to understand difference between transparent and non transparent proxy. This really does matter especially because of the way it handles HTTPS therefore filtering, workaround with FW and so far and so on...
Most of admin do not set non transparent because it mean to maintain settings at browser level, therefore my point with proxy.pac  ;)
With few users and stable design, non transparent proxy with manual browser administration perfectly makes sense.

One comment here: never store wpad.yourdomain outside, I mean on public DNS because for client connected to internet with client1.yourdomain FQDN, it will search DNS for wpad.yourdomain, will resolve it and try to connect to your private network... meaningless  :P

Then filtering doesn't mean authentication and when it comes to enable authentication, the very first debate is SSO.
Without Kerberos, SSO is very difficult but understanding implementation and management of SSO based infrastructure is much more difficult than anything we discuss in this forum. This is not because Microsoft did, as usual, something working transparently that everything is easy, smooth and simple under the wood.

One of the issue to be faced with SSO, as far as Single sign on is targeted, it to point all authentication back-ends to SSO, which means, e.g. getting Kerberos tickect from LDAP because some applications or services will be ldap enabled but not Kerberos ready. This work... but not straightforward. Same for Ubuntu client. PAM_Kerberos exists but Linux relying on central infrastructure is today built against LDAP (to replace NIS). So authentication is not enough and what works today is PAM_LDAP + NSS_LDAP  thus replacing PAM_LDAP with PAM_Kerberos is not that obvious  (reason why we have to achieve PAM_LDAP pointing to "LDAP Kerberos enabled"). Do you see why this is not totally straight?
Title: Re: How are you using HTTP proxy?
Post by: stuartiannaylor on September 13, 2011, 08:20:26 am
Yeah get what you mean on the external DNS but strangely at first I did it that way and again with my memory I am sure it worked.
Please don't as it was a pants idea, but at first I never used to enable the Zentyal DNS. Its so simple you might aswell and Christian is right.

Tiered filtering for groups does mean authentication? IE different filters for different groups.

PS ever get the problem with adobe Flash or is that just an english problem :) hardly the most offensive word but hey.

Then seriously the authetication SSO debacle / vista-win7 kerberos has me stumped.
Title: Re: How are you using HTTP proxy?
Post by: stuartiannaylor on September 13, 2011, 08:33:54 am
Christian the https / ssl filtering has me confused as well. My ignorance is that its a secure socket between the web server and the client. So you can't snoop or filter?
Title: Re: How are you using HTTP proxy?
Post by: christian on September 13, 2011, 09:30:34 am
No, because of SSL, one can not filter content (meaning decide not to relay page to requester because of non authorized content, virus or whatever).
However, proxy can decide, at the time user requests access to server, not to relay because domain or URL is part of black list. Link between client and server is not yet established at this stage.

Then you may notice that more and more proxy providers are implementing mechanisms permitting to "intercept" HTTPS flow at proxy level in order to filter content. This is done implementing "man in the middle" stuff: with this, one will have SSL between client and proxy and SSL between proxy and server, proxy faking certificate exposed by server in front of client. This is another debate but good to know isn't it?
I wonder if this is now feasible with Squid ???
Title: Re: How are you using HTTP proxy?
Post by: stuartiannaylor on September 13, 2011, 12:25:11 pm
I am glad you mentioned that Christian. I have done my usual and thought whats the point of filtering https if it can't be done. As you rightly point out domain filtering can be. Thats a major battle done in one and my assumptions had overlooked this.

If you are involved in public, education or community systems there are a hell of a lot of sites and proxies that use the https loophole to bypass filtering.

Looks like when 2.2 arrives  :) I will be going back to my wpad and pac file config with the zentyal DNS module.

I have been having a google for https content filtering / squid / dansguardian and there would seem to be nothing open source.
I get your piggy in the middle https scheme with products such as http://www.komodia.com/products/komodias-ssl-decoderdigestor/ or http://www.cymphonix.com/EXNetworkComposer.html exist as commercial closed offerings.

If you have the time a how-to based on application and target IE "http & https domain filtering with http content filtering with browser auto-config in one". Would be an excellent addition as the documentation is fragmented at the moment.
We have the Zentyal technical offering, seperate browser auto-config and the fact the transparent proxy alllows many https loophole sites so forcing https through dans is required.

You have changed my mind on my installs and it now seems strange that the majority of us just use the transparent mode (from the poll)

I would love to get the authentication mechanisms going without plain-text authentication login-boxes. As I want to employ tiered filter policies for group hierarchies and want to log user activity to DB level.
https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/ makes the settings a little easier in firefox.
But as I see it the Zentyal methods will have to wait for SSO and kerberos.

Thanks
Stuart
Title: Re: How are you using HTTP proxy?
Post by: christian on September 13, 2011, 02:22:51 pm
1 - Figures in the pool: it makes sense. Transparent proxy = less administration at client level although a bit more at proxy and firewall. Furthermore, Microsoft way of working: as this is transparent and works (more or less), you don't need to understand how it works  :P

2 - Browser Single Sign On: better to hear a bit more about Zentyal plan in term of Kerberos implementation. A lot of debate to come here  :)

3 - look at this if you plan to "intercept" SSL flow:
http://wiki.squid-cache.org/Features/SslBump (http://wiki.squid-cache.org/Features/SslBump)
and this too http://wiki.squid-cache.org/Features/DynamicSslCert (http://wiki.squid-cache.org/Features/DynamicSslCert)
Hoops, I should refrain myself to add more entropy here and there  :-[ but this aspect of infrastructure is so funny  :P
Title: Re: How are you using HTTP proxy?
Post by: vshaulsk on September 13, 2011, 03:09:37 pm
Ok I have a couple of questions:

I have created a virtual host wpad.home.lan (bound to 100.100.100.100)  When I go to the DNS section I see my home.lan and when I click on it ... I see wpad under hosts with the IP above.

Does this mean for every single domain wifi.guest, wifi.lan, DMZ etc..... I will have to create a virtual host?

Second:
I have never created a virtual host before so I am not sure where zentyal creates these directories.

Also when I look at the example of the wpad.dat example.... I am having trouble figuring out which parts I would need to change and could I use the same code for every domain (wifi.guest, wifi.lan, DMZ).  I don't want my DMZ subnet (192.168.0.0) to use proxy and just go direct to the net.  (I take in the code where it says zentyal.yourdomain.com I would change that to something like server1.home.lan)

Third:
On the file browsers .... firefox... will I have to change the clients configuration to auto detect proxy settings???  I take it the default configuration does not work??

Thank you !!!!!
Title: Re: How are you using HTTP proxy?
Post by: christian on September 13, 2011, 07:18:35 pm
Ok I have a couple of questions:
This just shows that I need to imrpove my documentation.

Quote
I have created a virtual host wpad.home.lan (bound to 100.100.100.100)  When I go to the DNS section I see my home.lan and when I click on it ... I see wpad under hosts with the IP above.

Does this mean for every single domain wifi.guest, wifi.lan, DMZ etc..... I will have to create a virtual host?

If you use DNS mechanism, then wpad.home.lan will be used only by hosts for which fqdn is something.*.home.lan but not, for instance by something.wifi.lan

This means that you have to create one virtualhost per domain.

Quote
Second:
I have never created a virtual host before so I am not sure where zentyal creates these directories.

it's up to you in the config file (/etc/apacheĆ©/sites-available/ebox-wpad.home.lan  look at Document Root section)

Quote
Also when I look at the example of the wpad.dat example.... I am having trouble figuring out which parts I would need to change and could I use the same code for every domain (wifi.guest, wifi.lan, DMZ).  I don't want my DMZ subnet (192.168.0.0) to use proxy and just go direct to the net.  (I take in the code where it says zentyal.yourdomain.com I would change that to something like server1.home.lan)

Well... proxy.pac describes what you intend to reach, not who or what tries to reach it. Thus this may need specific virtual host for DMZ based clients but it could be tricky or over-complex. In such case, you can choose DHCP mechanism that will describe, per DHCP range, which wpad to use. DHCP will be tried before DNS, so even if yuou have DNS that is reach by multiple DHCP ranges, DHCP will go first.

Quote
Third:
On the file browsers .... firefox... will I have to change the clients configuration to auto detect proxy settings???  I take it the default configuration does not work??

on IE, as far as I know, default is auto-discover. On firefox, I don't remember but I don't think it is set like this so, yes, you have to change it.

I'll try to improve my documentation later.
Title: Re: How are you using HTTP proxy?
Post by: christian on September 15, 2011, 11:52:59 am
FYI, I've updated this "Howto" http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign (http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign)  in order to reflect new features thanks to Zentyal 2.2
DNS SRV and TXT records can now be used to describe wpad location.
I will test it soon.

I also tried to make some sentences clearer, thanks to your remarks.
Title: Re: How are you using HTTP proxy?
Post by: stuartiannaylor on September 15, 2011, 12:07:38 pm
Looks excellent to me. Many Thanks.

Christian this brings me to another thread.
You have submitted an excellent document into the community. You have added community product that is freely available.
Zentyal might want to use your document to provide your solution into the Enterprise GUI in the proxy section.
To me this is the perfect place to fork a commercial Enterprise product.
There should be no difference in the community version and enterprise product in terms of features.
The only difference is that the enterprise product should be polished so that hacking isn't required and works from the box. The community is supported by the community and yes we get the same product but have to provide some hacks (your excellent documentation) as opposed  to selecting certain options in the Admin GUI.

http://forum.zentyal.org/index.php/topic,8023.msg32734.html#msg32734
Title: Re: How are you using HTTP proxy?
Post by: christian on September 15, 2011, 02:34:32 pm
Stuart,

I'm not sure to get your point. Perhaps my English is not at the right level yet ;)
However debate you launch is an interesting one, except that it may lead us to very long exchanges  ::)

To me, different products may exist, one open and potentially supposed to be adapted and one polished and closed with SLA. This is one model. Another model, and I believe Zentyal is on this last one, is to have only one single product, same for community and commercial targets, difference being additional services for customers willing to pay for it.

If Zentyal benefits from inputs, add-on, documentation or whatever idea community brings in, this is fine with me. We are in a kind of win-win model: community benefits from free product, helps to improve it and this may increase number of customers asking for commercial services on top of the free, shared, backbone.

If Zentyal, as a company, wants to add, in HTTP proxy section, features to handle WPAD, I've no problem at all with this. I haven't invented anything here  ;) and my major contribution, if any, is to try to convince people that "transparent everything" is, most of the time, the wrong way of dealing with reduction of administration cost and burden.
So I'm more on the religious side, if I can said so  :-*

Title: Re: How are you using HTTP proxy?
Post by: vshaulsk on September 15, 2011, 03:31:43 pm
I have a different question along the proxy line?

 I have a couple of VLans running.... for most of them the WPAD approach would be awesome.  However I have one VLan (wifi.guest) which as you could have guessed only used for guests coming over.  With the new captive portal module I am planning on leaving the wireless AP for that Vlan wide open and have all traffic redirect to the captive portal screen.  This way when people come over I can just give them generic username and password (guest1 password1) to log in.  Most of those guest either don't have their browser setup to automatically find proxy settings or are using mobile phones which might not have that option.  I don't want them to have any issues accessing the internet and I don't want to change any settings on their end. 

My question is it possible to have transparent proxy setup for that one VLAN, but use the WPAD method for all other VLans???????

Title: Re: How are you using HTTP proxy?
Post by: christian on September 15, 2011, 03:41:57 pm
:-)  your question could have been simpler  :P
I'm not sure not to reach my own limit of competence on this specific topic...  :-[

Well, this could be achieved, for what I understand, with some specific rules at firewall level to redirect ports on this interface assuming users using captive portal are connect on dedicated subnet.

The idea is to define here same rules as the ones used for transparent proxy: when request is received by firewall, forwarding rules redirect it to proxy. BTW, this is the reason why HTTPS can no be filtered by proxy, just because of this redirection at FW level.

So you could enable such rules for your dedicated VLAN only and I believe it would do the trick. Still I'm not 100% sure and never tried.  Let us know in case you succeed.

Hey Zentyal gurus! any feedback or input?  :D

More specifically, it requires:
- Not to bind Squid on this VLAN interface
- not to let these devices to use DNS "well know alias" DNS mechanism
- to nevertheless create wpad.dat with "DIRECT" statement in case devices on this subnet pick-up proxy.pac

hummm, it definitely deserves to drill down  :o
Title: Re: How are you using HTTP proxy?
Post by: vshaulsk on September 15, 2011, 04:26:58 pm
Trying to figure out what specific rules is whats going to be an issue.

Currently I can't isolate any subnets from one another using the firewall rules when transparent proxy is turned on.

Example.
I have setup a firewall rule between object wifi.guest (100.100.100.0) and object home.lan (200.200.200.0) to deny any connections.  When I try to ping or tracert everything works correctly and clients on which belong to these two objects subnests don't connect.
However when I try to access a control dashboard through HTTP it connects through the transparent proxy. Under logs nothing is showing up in the firewall, but under proxy logs (zentyal dashboard) it shows the connection.
I have tried several firewall rules to somehow block the transparent proxy from picking up these connections, but it does not work. 

I can't find a service that controls how transparent proxy picks up traffic and until I do I am not sure if I will be able to control my VLAN scenario.  The proxy should work with the rules set by the firewall, but it does not seem to be doing this. 

One other thing bases on your documentation for wpad  the clients on wifi.guest will never pick it up because they will be searching the wpad.wifi.guest domain which does not exist.  Since they will not be able to find this wpad.wifi.guest domain there should be no need for a rule in wpad.dat file for subnet (wifi.guest) = direct.  Am I thinking correct or am I still not understanding how DNS and WPAD work???
Title: Re: How are you using HTTP proxy?
Post by: christian on September 15, 2011, 04:46:31 pm
You are definitely thinking correctly... or at least I'm thinking the same and have not the feeling I'm wrong here  ;D

Joke aside, if your domains are different, then you're perfectly correct about catching or not wpad DNS record.

Regarding use of transparent proxy: in transparent proxy mode, HTTP port is redirected to Squid (localhost 3129). At Kernel level or FW? I think it's FW but involves kernel feature. hummmm  ???

If you set up Squid in non transparent mode and tune FW redirection port to catch only source from 100.100.100.0, then it works:
from 100.100.100.0 you will have transparent proxy behaviour
from 200.200.200.0, you will never have transparent proxy and will access Zentyal web pages directly.

does it make sense to you or am I wrong?

What I need to refine tune is capability to tune these catching rules.

Your question is triggering another one that is capability to have Squid service binding on all - or not - interfaces. It requires some hook here to have Squid binding only on the home.lan subnet (http_port 200.200.200.x 3128).

This could be useful for some advanced configuration but then I'm afraid it will not ease use from SMBs... it's difficult to always try to find the right balance between flexibility and easiness  :-[
Title: Re: How are you using HTTP proxy?
Post by: vshaulsk on September 15, 2011, 08:27:18 pm
Thank you for the information !!

I agree that this setup is probably more complicated than most SMB require. 

I will play with it and see if I can get it working.... I think once I figure out what firewall rules work with controlling how traffic gets directed to the transparent proxy than I will be able to set this scenario up on a basic level.... just to get me by for now.


Also I will try to search the internet about to how to hook squid to a particular Vlan just like you can do different DHCP servers/ VLAn.... I would like to setup different squid modes/VLan.

Perhaps if I find a way to set it up like I want (transparent with filter for my wifi.guest) and (authenticate + filter for my home.lan) so that squid binds to particular 802.1Q Vlan trunks.... I will take a look at how to make it possible to set something like this up in dashboard level.  IT will make things more complex, but I think it could be useful on an infrastructure level.
Title: Re: How are you using HTTP proxy?
Post by: Sam Graf on September 17, 2011, 02:30:43 am
Since Christian dislikes the transparent proxy as not being the technically right way to do things, I thought I'd add some possible ammunition to the anti-transparent-proxy argument. It appears that trying to run at least some zero client hardware behind a Zentyal transparent proxy interferes with establishing at least a Citrix HDX connection.

I don't actually understand why, though. First of all, HDX connections get routed to HTTPS, as I understand it (maybe the problem occurs right there?). Second, there is no place to configure a proxy in the zero client I'm using. Yet simply disabling Zentyal's transparent proxy option seems to make a difference.

I need to experiment more, but I've lost a couple of hours and a handful of hair trying to figure out where my HDX connection was going wrong, and it's somewhere at the proxy. It may be an artifact of using a transparent proxy.
Title: Re: How are you using HTTP proxy?
Post by: christian on September 17, 2011, 09:48:22 am
Sam, I do not "dislike" transparent proxy.  ;D ;D ;D

Trust me even if all what I write shows the opposite  ;)
What I really don't like with transparent proxy is not the technical implementation but the fact that people go for this not understanding what are the pros & cons.
In some cases, I really do understand that transparent proxy could be the best implementation (some few cases only, do not think I've totally changed my mind  :D)

And my is not with proxy only but with "transparent everything" approach, surprisingly especially with such solution targeting SMBs: this kind of design targets people or organization not necessarily understanding all the technical stuff and the goal is of course not to change this. I mean that because they don't understand, solution has to make it easy and reliable and the transparent approach which looks the easiest is in fact the most complex because of the side effects requiring tricks at FW level for HTTPS plus some other unexpected stuff.

Of course, this reflects my own personal view only  8)
I can see that large majority is using transparent mode: Zentyal documentation promotes this. Therefore my documentation trying to show "something else"...  :-*
Title: Re: How are you using HTTP proxy?
Post by: stuartiannaylor on September 17, 2011, 01:17:42 pm
The transparent proxy is good for an "out of the box" solution.
There is a huge ammount of https holes and services out there that allow the proxy to be bypassed.

So like Christian if I was going to install and configure the proxy I wouldn't use the standard transparent settings.

Its great though that we have the choice and documentation to support this.

Stuart
Title: Re: How are you using HTTP proxy?
Post by: Sam Graf on September 17, 2011, 02:47:48 pm
I think my point of view is that a transparent proxy is a consumer or a mobile approach to proxies, and I think that the discussions here tend to miss this whole aspect of the conversation. Admins may still be able to argue that they make the call, but SMB technology deployment is heavily influenced by consumer-think and mobile-think through end users. If nothing else, the combination of Apple's growth and their long tradition of keeping technology as transparent as possible to the end user is changing expectations. And we SMB admins, sooner or later, are going to have to acknowledge those expectations.

I personally get confused by the range of views often presented here, keeping me from understanding where the center of gravity is in the Zentyal community. Some people won't think of asking mom to use a PPTP connection on her iPad. But it seems like expecting mom to change her iPad's proxy settings on the fly might be the right thing to do ... :o ;D

Anyway, for once I wanted to participate in the Zentyal-specific technical side of the proxy discussion. Consider the dilemma I face: We use a transparent proxy because I have empirical evidence that asking staff to master changing their own proxy settings on mobile devices (including regular old notebook computers) amounts to asking a lot of mom. But it appears that Zentyal and Wyse zero clients don't play nicely together in a transparent proxy arrangement. I end up pretty much all by myself (sniff) lobbying for a Zentyal design approach that looks to the future of the SMB market, where big guns are promoting virtulaization and private clound technology as affordable options during the impending XP-EOL-driven refresh cycle.

These vendors see business investment dollars coming their way if they can spread the word, so much so that their reps even talk to small operations like ours and even communicate with big distributors on our behalf for special pricing. But Windows-powered servers are still the understood infrastructure platform, not Linux-based solutions in general and not Zentyal in particular. Zentyal "needs" to allow, at the GUI level, for selective proxy bypass, for DHCP options, and whatever other roadblocks might come up to transparent Zentyal implementation in SMBs.

So my contribution to this discussion is that weighing the merits of proxy transparency is an excellent idea, and it is absolutely true that a knowledge of the pros and cons makes for a much wiser admin. But ... let's not make the mistake of thinking a self-contained a-contextual discussion of transparent and non-transparent proxies is the end of the conversation. The knowledge gained is vital, but real-world SMB admins work in a context that is not so neatly confined to proxy pros and cons. As a real world admin trying to keep technology as transparent to my "customers" as I can while dealing with business and budget realities, I am faced with trying to depoy virtualization technology that understadably assumes a Windows environment while increasing our use of mobile and road warrior solutions but trying to retain Zentyal, which almost entirely lacks the GUI tools I need to make things work even when the underlying technology doesn't. And I'd like maybe even to take a day off once in a while during all this ...

I dunno ... I'm a little tired and just a little guy in a rapidly changing SMB market. I probably should just throw in the towel and do what the majority are doing on the infrastructure side of things and go camping more often ... I'm getting too old to do much else. :)
Title: Re: How are you using HTTP proxy?
Post by: christian on September 17, 2011, 03:06:41 pm
Sam, I think we are really in line with the points, not with the conclusion  ;D

Goal is not to ask mom to change any settings, this I do share.  ;)
Goal is not to ask SMB admin to implement or even understand complex technical stuff. I'm fully in line with this too.  ;D

So what? It has to be simple from an end-user standpoint. This is what I share with you.
Does it mean that technical implementation behind has to be the "transparent" one? Oh no!!!  :-\

Have a look at Apple documentation http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf (http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf) and you will surely notice that Apple's proposal for for proxy management is either manual (which is not practical, I share) or WPAD, BTW what I'm pushing for when it comes to use proxy in its most efficient way.

This is also the default value for Internet Explorer  ;)
I mean any IE browser will not require any single change.
So, what is my point at the end?

If Zentyal had included to HTTP proxy module all the (easy) stuff to automatically set WPAD instead of explaining the painful "firewall rules to permits HTTPS but not filter it", this debate would have even never be raised.
This is what I really mean  :-X :-X :-X

Still I do appreciate your effort to keep debate on the right side that is to ease SMB deployment. I target the same here, trust me  ;)
Title: Re: How are you using HTTP proxy?
Post by: Sam Graf on September 17, 2011, 03:17:39 pm
My boss brings her company-supplied iPad to work. I may have some control over what happens there :) . But then she grabs a staffer (who also has a company-supplied iPad) and heads off to the local coffee shop to conduct a meeting that relies on both being able to use the coffee shop's free Wi-Fi connection. Obviously I have lost whatever control I had over the configuration requirements of these iPads. Now what?
Title: Re: How are you using HTTP proxy?
Post by: christian on September 17, 2011, 03:22:35 pm
hehe... nothing  ;D
If you set up WPAD infrastructure at the office, it will work and when she will go outside on location where it is believed that transparent proxy is best, it will work exactly the same.

I mean to say that is no proxy.pac file is found, then browser will behave as if no proxy was defined (indeed there is none in such case) and transparent proxy will be used.

do you really think that I'm use to change my proxy settings when I move with my laptop from hotel to airport then the office? No I don't except when I reach network where proxy must be set manually. Everything else is transparent.  8)
Title: Re: How are you using HTTP proxy?
Post by: Sam Graf on September 17, 2011, 03:31:56 pm
Right. But we're not talking about you, but about Sam, who has multiple responsibilities, like almost every SMB admin he knows, and who wants to use Zentyal but does not have the time or the energy to hack it to make it work. He picked Zentyal in the first place, after all, on the strength of the promise of a Linux server for dummies.

So he reads the documentation you have graciously provided, understands as best he can the pros and cons, and then picks a transparent proxy anyway since that's his only practical, customer-friendly option, as far as he can tell. This isn't taking into account what could be, only what is, I admit. But I don't think I'm stretching reality too far in doing so.
Title: Re: How are you using HTTP proxy?
Post by: christian on September 17, 2011, 03:50:14 pm
No you are not stretching reality.
At least you made your choice understanding pros & cons, which was my initial goal  8)
If we stay on this, I do not try to convince you to change. It works and you're happy with this. So far so good and I don't see why I should push you forever to do something you don't want to do.

Zentyal documentation, although quite good, is lacking some inputs for decision making for people not understanding the technical stuff when components can be configured in different ways.

Having said that, if we discuss further technical aspects, then this is different and for sure I will react because I've my own standpoint and you know "transparent" approach is not the one I prefer  ;)

As a matter of conclusion, at least from my side, let me describe something to you:
- next time your boss will go outside and connect to network where WPAD is deployed (and therefore where there is no transparent proxy), in case her browser is not configured to check for proxy.pac, she will not be able to access internet  :( until she manually modify her browser settings... No I'm not trying to convince you  ;D
oh... I was joking because you are lucky: she is using iPad and Apple, according to what I read in the documentation, permits only either manual proxy or WPAD. Still my point is valid with any browser configured with "no proxy" because of transparent proxy at the office, at home or wherever you want.

TTFN. cheers,  :-*
Title: Re: How are you using HTTP proxy?
Post by: Sam Graf on September 17, 2011, 04:16:58 pm
If it were down to hacking only one thing to make some special case work properly under Zentyal, then Sam could and should just sit down and "learn Linux" and get over himself ;D. I don't consider proxy management or UPS managment, for example, to be special cases in an SMB world. There will be (and should be) some segment of the Zentyal community that will be inclined to manually fix whatever Zentyal lacks. But if we, as a community, want to begin a serious "spread the word" initiative, we need to be able to bring as few caveats and disclaimers to the conversation possible.

Soon, we will have, if I can swing it with management, paid Zentyal subscriptions in three geographically separate locations. Please understand that I need to make a "it just works as a scalable cost effective solution that doesn't depend on Sam's hacking ability" business case. Management, right or wrong from a technical point of view, is a technology consumer first and foremost and is looking at the path of least resistance as part of the cost effectiveness calculation. If a more expensive solution, even a significantly more expensive solutions transparently supports key business initiatives (technological and otherwise) and does so people-independently, then the purchase decision will go that way. In the somewhat cloistered community here, where values put on open source solutions in general are high, that kind of business transaction may make no sense. Even if true, I can't help that. And I don't think I'm the only admin in the world--or, more importantly, in Zentyal's potential market--in that situation.

I have begun to sound like a broken record. I have two weeks at work to make whatever case I'm going to make and I need to prevent that process from spilling over here inordinately, so I've had my say. Back to staying focused on supporting other Zentyal users, real life, and maybe, if the weather holds, one more camping trip for the year. ;D
Title: Re: How are you using HTTP proxy?
Post by: stuartiannaylor on September 17, 2011, 04:19:20 pm
I have to dissagree, the community version should be hackable. Firstly an open system means open. It should represent the body of feedback the community (users) find advantageous. Organic growth through usage is very important and how we use Zentyal should dictate direction.
I just believe that "Highly intergrated server of any platform for dummies is an extremely polished product" maybe you are talking about an enterprise product. Or be resigned that a community will support your requirements.

More of a question than a dissagreement?

Stuart   
Title: Re: How are you using HTTP proxy?
Post by: Sam Graf on September 17, 2011, 04:36:51 pm
I agree that the product should stay open. eBox/Zentyal is a better product today because people hacked it and contributed their work back to the product.

At the same time, I think I should be able to say that some things aren't special case but also still missing from Zentyal. I should also be able to say that subscribers should not always have to hack, or pay to have hacked, Zentyal to have missing items included. It's fine to have fund raising campaigns and community contributions to grow the product, absolutely; but I cannot imagine that it is always appropriate to try to make a business case for Zentyal implementation that always includes a hacking-is-required to use this product now and/or into the future disclaimer. That kind of thing is common to enterprise support contracts, not SMB boxed solutions. Even Citrix told me, "if you find it not working for you, we agree that it should be, and we'll fix it." They are thinking in terms of leveraging the knowledge they gain from the field into a better product and multiple happy paying customers. :)
Title: Re: How are you using HTTP proxy?
Post by: half_life on September 17, 2011, 09:39:47 pm
Sam,  I too feel your pain.  I am in charge of a department of three, me, myself, and I.   I have made the case to my upper management that it is a matter of "when you pay" vs "if you pay".  Open source allows you to defer the costs.  At some point in the future you will either

a) require the help of an outside vendor
b) hire a replacement admin

Zentyal gives the typical PHB the best fighting chance of keeping things running while he picks between the two options above.  As you well know Sam,  being "THE ADMIN"  forces you to know the details of quite a few technologies that are normally spread over many specialists in a large organisation.  Our datacenter for instance two largish servers (16 core,48g ram)  to support several virtualised servers.  We use Zentyal for the gateway/infrastructure while using Elastix for the telephony aspects.  Add in a few more VM's for vertical apps and Document management and we are into the "pure magic" range for the typical PHB.  The point I am trying to make is tha eventually the choice listed above will be forced on your boss.  Wouldn't it be easier to establish the relationship now rather than later?

To stay on topic:   I am adding support for tablets with the rollout of Zentyal 2.2.  I intend to require VPN access to interoperate with our software.  Otherwise surfing/internet is best handled directly to the wireless carrier.  In the office it will continue to be via transparent proxy.  I am also toying with the idea of using the captive portal application to control access to the internet.