Hello, I am looking for a help and I am not very good in english so sorry in advance:). I am a system-network administrator in one company. I like open source and I have the task "to control users http traffic", my deadline 3 months. I refused "Fortigate" and "Astaro" complete comercial products. I have 110 users at all, but in one office there are about 50 so I started there. As far as I know a little debian, I choosed it and squid as a proxy-cache. I installed it on separate machine listening on 3128 port, with SNMP enabled and MRTG for monitoring, W3Perl for making nice statistics. For now I configured 10 users browsers (we use Firefox as the main, and IE for specific http) to go through my proxy. Everything is working fine because squid handles with real users ip addresses, and W3perl output generated from access.log looks fine because I made translation Name Surname - users IP address. And is easy to change user browser settings to go directly if something is wrong with "squid-machine". But this configuration is good only for testing purposes. Users (intermediate level) can easy change browser settings not to go through proxy. Yes I know there are some methodics how to disable changing such settings, but doing this with 40-50 users is not a good idea:) So I need transparent proxy configuration - in my oppinion.? I am using "IPcop" router firewalling machine for testing purposes one year and it works fine in my case. (It also have built-in proxy but I don't like it for several reasons, very week logs and poor caching capabilities and everything on one machine ). So am planing to put Squid-proxy-macnine in DMZ (ipcop's orange interface, as I read from http://www.deckle.co.za/squid-users-guide is the best place for cache.) My trusted hosts would be on green network (trusted) and Ipcop hand-off's any http 80, ftp 21 and https 443 requests to DMZ (my orange) interface on squid-proxy-machine listening on 3128 port, and squid then would be able to communicate with ISP' cache-servers on the red side with UDP-ICP protocol for example - am I right? The main question is in that configuration my squid-machine would be able to autenticate every user traffic going from green and give nice outputs with Names Surnames, or all users ip's from green would be covered by one orange (DMZ) ip and squid-machine wouldn't be able to see nice outputs based on ip's. Also I have www server and planing ftp server to put on DMZ. Please, advise my how to do the best in that way or give another configuration example, because I can't to test this way now in practice (because my squid-machine is placed in one office and ipcop firewall in another (different cities, different branches). I would be waiting for any help thanks -- Pagarbiai, ------------------------------------------------ Donatas Gedvilas d.gedvilas.srk@xxxxxxxxx 8~601 78210 8~41 52 35 75 VI "Siauliu regiono keliai" IT skyrius
