>> all user-squids have a "few" (or many?) acls with which >> they can determine >> if they have to forward the request to "main intranet", >>"main extranet" or >> "main internet". so the user squid decides which type of >> request it is >> (intranet/extranet/internet) and then asks the responsible >> squid at our >> head quarter. >> >> so that means: >> >> some.local.server: user-squid -> DIRECT (if local.server is >located in >> subsidiary) >> some.main.server: user-squid -> squid main intranet -> DIRECT to >> some.main.server >> some.subsidiaryB.server: user-squid (subA) -> squid main intranet -> >> "user"-squid in sub B -> some.subsidiaryB.server >> www.google.de: user-squid -> squid main internet -> FW -> >DMZ -> internet >> -> google.de >> > >sorry but why go the easy way if there is a complicated one >right ... :) > >or I do not understand what you are trying to say here > >but if I understood your plan, then, nothing need to be done at remote >server site, only at the front end squid > >since the frontend is the server connected to other networks it is the >place where things should be done, but that is only the easier way > > >Michel sure, but it's not that simple. there are local (at user-squid) acls which are also responsible to restrict access. eg. internet-access is restricted to some users, we also distinguish between "browsing" and "downloading" the internet, for that we use NTLM auth togehter with "some" local acls. with this scenario we provide services at about 150 subsidiaries and 30.000 users... markus
