> ~ > Hi, > ~ > I inherited two computer labs in a school (adult ed) with 28 desktops > running Windows XP SP2 which are part of the same network > ~ > All 28 computers use the same group account to login and authenticate > via NTLM to a proxy server > ~ > Now, company offering us Internet access is relatively large > corporation trying to venture in the grant-based business and doesn't > have experience running schools > ~ > My network is fenced by pretty nasty firewall rules which appear to > apply to the actual workers of the company (not only youtube and > myspace are obviously blocked for employees, but also sites such as > web-based email ones and craigslist.org) > ~ > My supervisor told me to do whatever I could "without messing with > things" (which we don't own) so that students/teachers could use the > lab > ~ > I was basically thinking of: > ~ > 1) making all computers use one of the computers as a proxy > ~ > 2) this computer (1) would have installed squid and would carry of > its ntlm proxy negotiation with the proxy facing the Internet > ~ > Should I use squid for win32 or Linux? I think squid for win32 should > be better because it could be using win32 NTLM from the OS itself, but > I don't really know > ~ > What other issues should I consider? > ~ > FW rules I am dealing with don't even the kind of syndicated content > driven by AJAX requests (apparently because they don't send much of > the Headers?) , so if teachers took the time to put their lessons of > the web, say at yahoo's geocities, then students can not access it > (?!) > ~ > Can I play with squid caching rules so that I make sure that content > is local before teachers get to the lab? Can be tricky unless you have some control over where the content is coming from (not a guarantee). It sounds like your provider is kind of paranoid about security, maybe a good thing for them and you. What I'd do in your place is make the single machine you are planning on running squid on into a hardened gateway for the school. No direct login for anyone outside admin, no superfluous programs, services locked down as much as possible, etc. That can all be done on a single machine without affecting the rest of the net. Then you can request a wider access for just that machine, without the provider having to worry about any of the students PCs. Amos > ~ > Any tips, links or white papers with insights into these kinds of > setups? > ~ > The kind of info I have found online seems a bit spotty to me and I > don't have much time to mess around with this network. I need > step-by-step types of instructions > ~ > Thanks > lbrtchx >
