Squid Question

Jon-NC · 23rd June 2008

Hello,

We have a slight problem with a customer’s Websense web filtering software. The reporting feature on Websense cannot individually distinguish users on a Terminal Services server.

We have been advised by Websense to put a squid proxy (or ISA proxy *spits*) in between the Terminal Servers and forward all communications onto the Websense server.

Would this be easy enough for a Linux novice? I have already setup squid in which is working as a proxy fine. I imagine that I may need to add some form of NAT or IPTABLES stuff to forward on all proxy traffic to the Websense server?

Any tips in what to search for would be cool; I'm a little out of my depth on this Linux stuff. :P

Cheers,

Jon

wise · 23rd June 2008

websense has a citrix agent you can install on each server that will distinguish the users - Im sure you can put this on your terminal servers.

What version of websense are you using?

Jon-NC · 23rd June 2008

For some reason (I dont know the exact reason) the Citrix agent won't work. It could be due to the version of Citrix our customer is running.

Schumie · 24th June 2008

Without my Websense hat on (as I deal with the Software as a Service, as opposed to on-premise) but as I understand it, if you drop in a squid proxy (pretty easy to do) and if it can drop in as the gateway for these boxes, a few iptables rules to redirect port 80 traffic, or alternatively set the group policy for proxying through the squid box, it should be relatively simple.

I'm not sure how it differentiates on the users though

Jon-NC · 24th June 2008

The reason we can't use the citirx agent is because citrix isn't used. :O

I'm not sure how squid will differentiate the users either.

Schumie · 24th June 2008

Hmmm.. I've asked the question internally as I'm quite interested knowing how it does the user seperation now

wise · 24th June 2008

As far as Im aware it wont differentiate the users - its been a couple of years since dealing with websense enterprises etc, so they may have added something. The remote agent they developed for citrix was specifically for the reason you are needing it and I had thought they could also be put on TS too ... are you using ISA server under websense ?

Schumie · 24th June 2008

I've just spoken with one of the chaps, so it does need a proxy server in place, and the browser passes user credentials, that's how it's able to differentiate

You can also enable manual authentication as well, so that if the user credentials aren't passed the users will be forced to authenticate before browsing.

Integration with Squid seems pretty straight forward, and if you need any help the support chaps are always here to give guidance

Jon-NC · 24th June 2008

Cheers guys. It appears that the powers to be are going to put Windows 2003 with ISA in instead.

.

Less work for me to do I suppose. I'll let some poor sod deal with ISA.

samb · 24th June 2008

When ISA server fails to perform as required, please feel free to refer them to us for a proper Squid setup

Jon-NC · 24th June 2008

hehe. Unfortunately it is up to the account manager and client IT contact. Neither have really used Linux and therefore would rather have ISA.

The joys of having a separate sales team.

fov · 24th June 2008

Whats wrong with ISA?
Ive never had any real issues but then ive only had it in a small network.

wise · 25th June 2008

websense sitting on top of ISA is a standard setup and works quite well ..

Schumie · 25th June 2008

.. wait until version 7 is released and you might not need an external proxy server