On 2016-10-29 20:40, paul.greene.va@xxxxxxxxxxx wrote:
I've inherited a squid proxy at work; I'm new to squid, so this is still on the learning curve. Unfortunately no one else in the office is very good with squid either, so I'm attempting to be the resident guru. Our network is all in private IP address space. A MS WSUS server and a Symantec Endpoint Protection Manager server need to get through the squid proxy to get out to MS and Symantec respectively for their updates. Some other servers are coming online in the near future that will also need to get out to their respective vendors to get updates, including a Redhat Satellite server. For these WSUS and SEPM servers, they have to go through the proxy I'm working with, through a Cisco firewall, upstream to a McAfee web gateway, and through another gateway after that. After traffic gets past that Cisco firewall, a different networking group is responsible for any upstream configuration None of our other servers, except these specialty servers that need to get out to their respective vendors for updates, have direct access to the internet. Our firewall guy says what he's seeing in his logs is that traffic destined for port 443, after it goes through the proxy, is trying to go straight to the vendor over the internet, rather than go through the upstream McAfee gateway as required, and thus, the traffic is getting dropped by the Cisco firewall. I did a packet capture test with the McAfee gateway guy, and he confirmed that no traffic coming from either either the WSUS or the SEPM is reaching his gateway. I thought this line in the squid.conf file should send traffic from our proxy to the upstream McAfee gateway, but maybe I'm misunderstanding the intent of the cache_peer parent parameter. cache_peer <McAfee Gateway IP address> parent 8080 3130 proxy-only no-query no-netdb-exchange default login=username:password (if placement of this cache_peer parameter matters, its currently near the end of the squid.conf file) As a test, I configured internet explorer on the WSUS server to use the proxy for internet access, Without configuring for the proxy, IE can't go anywhere except the local network. IE can hit http websites (i.e. www.cnn.com) when it's configured to use the proxy, but not https websites. The Safe_ports and SSL_ports list is the same as the squid.conf defaults. This is squid 3.3 running on Redhat 7. Any suggestions or pointers? PG _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
Please, use plain text (not HTML) for messages next time, as it hurts people reading messages on web archive [1]. Also, IMO, it increases the chances a message would be answered. Thanks.
[1] http://lists.squid-cache.org/pipermail/squid-users/2016-October/013308.html
Garri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users