twd wrote:
The HQ office network is behind a Linux appliance running Squid in
transparent mode. All filtering / usage policies are enforced via
Dansguardian & Squid.
When users go on the road with laptops, all usage should still go through
the Squid proxy back at the HQ. So I put the proxy settings in the browsers,
lock the the settings so employees can't change them, and all works well,
UNTIL the laptop is outside the LAN.
Then I get a Squid proxy error unless I add an ACL of the public IP of the
laptop.
acl twdlaptop src ##.##.##
http_access allow twdlaptop
Then everything works just peachy, except that the IP address of the laptop
on the road necessarily changes. Is there a more flexible way to allow road
warriors to use the HQ proxy? I thought of using OpenVPN, but I'd like a
solution for laptops & Windows Mobile Phones as well, although laptops are
the more current issue.
Authentication was created for exactly this purpose.
With explicitly set proxy settings in the browsers, there is no reason
why you can't allow them to login to the proxy when they are on the
road. Or even at HQ.
Note that by entering the proxy settings in the browsers you are no
longer using "transparent mode".
Assuming by "transparent" you actually mean "NAT intercepting" you
should of course have Squid listening on one port for the intercepted
requests (authentication not possible) and another for the configured
browsers (authentication possible).
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13