configuring a transparent proxy

[ngxr85]

Hi,

i would like to use a transparent proxy (Squid) for a subnet connected to a physical interface on my firewall (Checkpoint NGXR65). These subnet's client do not have to configure their proxy settings in order to access the Internet.

I have done 2 rules:

Rule #1
SOURCE: mySpecialSubnet
DESTINATION: any
SERVICE: mapped service (SRV_REDIRECT(80,IP.of.my.MyTransparentProxy,80) )
ACTION: accept

Rule #2
SOURCE: mySpecialSubnet
DESTINATION: MyTransparentProxy
SERVICE: http
ACTION: accept

My transparent proxy is configured to listen on port 80.
However, I performed a tcpdump on the proxy and nothing come from my subnet when I try to browse the internet.
If I set up manually the proxy on a client, i can access the internet without any problem.

Anybody can help me ?

 

[Redfox1]

I've done something very similar (production environment with 200+ clients using SquidNT as well in our 'guest' web access network)

Here are some suggestions:

SSL websites will not work with transparent proxies. So, you might want to hand out an automatic proxy configuration file via DHCP Options.
i.e. run a web server that's reachable by these clients and host a file:

http://somewwwserver.domain.com/somename.pac

(You'll have to configure .pac extension in IIS to be a proper MIME type)

When clients receive a DHCP lease, they'll also auto-receive the PROXY configuration directory for their respective browsers (this works in Firefox, IE; haven't tried opera/mac browser etc.)

Your rule on the FW would just look like this:

FROM: Proxy_SRV
TO: ANY
Service: http, https
Action: Accept

Rule #2 looks fine...

David