What do you mean by 'pushing the proxy settings over' ? How can I accomplish what you are saying ? On Mon, May 13, 2013 at 1:39 PM, Daniyal Khorashadi Zadeh <daniyal.khorashadizadeh@xxxxxxxxx> wrote: > What do you mean by 'pushing the proxy settings over' ? > How can I accomplish what you saying ? > And Thank you very much for your concern guys :) > > > On Mon, May 13, 2013 at 1:13 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> >> On 13/05/2013 8:26 p.m., Alex Domoradov wrote: >>> >>> On Mon, May 13, 2013 at 11:18 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >>> wrote: >>>> >>>> On 13/05/2013 5:54 p.m., Alex Domoradov wrote: >>>>> >>>>> You can use acl apr, for example >>>>> >>>>> acl BIG_BOSS arp 01:02:03:04:05:06 >>>>> >>>>> On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote: >>>>>> >>>>>> Assume your executive of corporation, sit on his clerk desk PC, and >>>>>> login to his username on the network (authenticate with Active >>>>>> Directory), of course he wants his full access to internet, but he >>>>>> can't because his IP address is different from what we set in squid >>>>>> for his PC. >>>>>> >>>>>> we authenticate users in Active Directory, and set their gateways to >>>>>> squid server so we have a Transparent squid. we don't want our users >>>>>> to be authenticate for second time in Browser... >>>> >>>> >>>> This makes no sense at all. It is a simple matter for the browser to >>>> send >>>> the already authenticated AD credentials to Squid for Squid to conform >>>> them >>>> with AD. It's called single-sign-on to most people familiar with MS >>>> products, and works with all forms of HTTP auth. >>> >>> will it work with transparent mode? >> >> >> Ah "transparent". single-sign-on *is* "transparent" authentication. Except >> that is not at all what you mean. >> >> The "transparent" interception you use is only getting in the way because >> you are not pushing the proxy settings over, just the gateway settings. If >> you push *both* over to the client then all software which uses the proxy >> settings correctly will be able to do single-sign-on, for a transparently >> configured and authenticated proxy. The ones which do not will have to use >> interception and can be controlled with different security settings in the >> proxy. >> >> >>> >>>> It is also a simple matter for Squid helpers to take the IP (or EUI / >>>> MAC >>>> address even) and verify them against AD to confirm there is a user >>>> logged >>>> in on that machine and retrieve the details of said user back to Squid. >>>> The >>>> external ACL helpers routinely do this for group checks. >>>> >>>> However, if you base the Squid security all on the IP or MAC you >>>> *always* >>>> run the risk of an attacker hijacking the machine or even just spoofing >>>> that >>>> clients IP/MAC details to bypass your Squid security controls. >> >> >> >> Amos > >
