0

Hello Daniweb.

I have an issue here about my LAN network. I want to redirect all the web traffic that is happening in my LAN to a proxy server before it reaches the router and the Internet. Now, my infrastructure is like this where client makes request, request go through switch and straight to router & internet. Now I want to enforce where whatever request being made would go through switch > proxy server > router > internet. Is this possible. This is a way for me to control my network. Hope anyone can give me a hint on how to go on with this configuration? Thank you very much in advance.
3
Contributors
7
Replies
26
Views
5 Years
Discussion Span
Last Post by JorgeM
0

hello oxiegen. thanks for the reply. i am actually running gtb inspector where it acts like a proxy server. so now i want to direct all web traffic to go through gtb proxy first before going to router n internet? is it possible? for firewall, we only have a basic firewall configured in the router. we are yet to purchase a standalone hardware firewall. Thank you again.

1

There are a few options. Not all proxy solutions support these options...

1) Run the proxy service on the Internet router. Most routers that support this type of service actually do not proxy, but do URL filtering. The result is the same except the device is not caching.
2) run an inline proxy (between the switch and the Internet router)
3) Certain network routers have the ability to "hand-off" HTTP/HTTPS traffic to a proxy server.
4) configure your browsers to explicity use a proxy. Then on your perimeter firewall/router, block all outbound HTTP/HTTPS traffic for all hosts except your proxy. This will force clients to configure their browsers if they want access to the Internet, since the proxy will be the only host that has access through the firewall (very common approach).

1

Like JorgeM said. Suggestion 4 would be the best bet.
I've never even heard of gtb inspector. :)

0

Hello Oxiegen. GTB inspector is an application running on CentOS. So basically it ais also a linux distro as well. However the duty of the inspector is more to as a DLP (if you refer to gtb technologies maybe you would get a clear picture). So basically gtb is not only a DLP but it has many feautres where serving as a proxy server is also one of it.

0

Hello JorgeM. Thank you for your replies and suggestion. I have discuessed with my superior and we are planning to go on the 4th option. But in order to block the http and https request you need to configure an ACL right. However our router is serving as a firewall for us where all our setting for firewall is done pre configured in the router itself. So its considered as a SME router with limited functionalities. So i was thinking if this option is best available in entreprise routers such as Watchguard perhaps. However, I like the idea, but I need any input from you on how do I plan to block the requests in my current router? is it possible or I have to add another device in between to accomplish this setting? Thanks again JorgeM.

0

Hello Bheeman89, So I am not familiar with the "SME" type router. In any case, whether it functions as a router or Firewall, you still should be able to incorporate this basic type of ruleset. If that router works off of ACLs, that is fine. What you want to do is restrict all traffic outbound from all internal hosts except from the traffic on port 80 and 443. This takes care of blocking people from any outbound access, except when using the proxy and only on port 80 and 443.

I would suggest that you should be able to implement this even on the most limited type of router/firewall. But if you cant and you have to spend some dollars, then yes something like a Watchguard, Sonicwall will definately work.

Alternatively, if you want to place something inline, that is a good option as well, but hte device you place in the inline format would have to be able to support it. I know of many firewall/proxy appliances that support this configuration. Not sure if GTB inspector on CentOS can do this. Its probably worth checking that out.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.