12-15-2011 08:14 PM
Currently, our office internet leased-line are always congested due to high traffic during office hours. To ease the congestion issue, we plan to implement Squid proxy server on DMZ zone for this purpose. I'm not that good on configuring policy based routing using command line and I prefer to use GUI instead to configure all HTTP traffic from wireless network as well as LAN to proxy server. But when I configure PBR via GUI, it never work as I expected. I read somewhere in this forum, configuring PBR via GUI is not recommended. I'm a ne.wbie in configuring PBR via GUI and commandline. I seek a guidance from you all (the expert) here to help me on this matter. I attached our network diagram for better understanding.
Thank you very much for your advice and kind guidance.
12-17-2011 06:33 PM
You can't do forwarding to Squid on the firewall. The only built in forwarding supported in ScreenOS is websense and surfcontrol. These products are configured under security.
Policy based routing will not work for this function. Policy based routing is about controling your next hop or interface based on defined parameters. You could forward web traffic down a particular interface or ip address using policy based routing. But you cannot modify the request so that it is no longer looking to hit the web server directly but becomes a proxy request instead.
For proxy servers you will need to push out your browser proxy settings to the clients. With the browser settings correctly set the web requests then go to your squid server and out to the internet from there. On windows you can use group policy to push these out.
Or you can configure a wpad DNS record if Squid supports WPAD autoconfigure setting. In DHCP you can create a custom record with a value of 252 and the url to your wpad file on the proxy server.
You may also then want to block direct web access from ip addresses other than the Squid server. This block policy would prevent computers from bypassing the proxy server and using the we directly.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6
12-19-2011 11:38 PM
Thanks Steve for your explanation. I might have to consider WCCP for this matter instead trying to configure firewall for HTTP redirection.
12-20-2011 01:35 PM
You might be able to do it with a combination of PBR and a little IPtables trickery on your Squid server, which I would assume is most likely Linux anyway. Simply configure up a few rules on your Squid server to let it act like a "router" and do some translation with IPtables, then let Squid do its thing.
I'm not a Squid expert, but I know there are some configurations that don't require configurations on the client, either. Transparent proxy comes to mind.
I'm sure with a little ingenuity this could be made to work.
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.