Web-Based Proxies As Internet Gateways?

Tseuq asks: "The company I work for has recently rolled out their first 'official' Intranet. Like most companies, we use a combination of Novell, NT and Unix for our file/print/application duties. We want to allow all users in the company access to certain sites on the Internet (health benefits, 401k plans etc., regardless of whether they have been officially blessed with Internet access. However, we currently use a Novell based proxy/fireall which works well for those with NDS (Novell Directory Services) ID, but there are several people in the company for whom it is not feasable to have such an ID, making authentication into the Novell proxy quite difficult (read: impossible)."

"I attempted to get around this problem using the freely downloadable PERL based CGIProxy 1.3 through NAT, bypassing the Novell proxy but still using the firewall aspect. It's a wonderful script but in its current downloadable form, it doesn't support SSL or Javascript, both of which we need.

My ideal solution is a product like CGIProxy since it would allow pretty much transparent access to the designated sites via links from our Intranet. I have done some more research but have run out of ideas and time and was hoping the Slashdot community could throw some ideas my way.

NT or Freenix solutions are acceptable. I have some coding ability but I am pretty far away from considering myself a programmer so solutions that require a decent amount of recoding probably won't work for me.

Thanks in advance for your help."

how about RADIUS?

[Frogball]

Without knowing more about your firewall config (can you at least tell us what the product is?), I would have to ask if it supports RADIUS. If so, this would allow you to have a central repository for those remote user accounts, and a good RADIUS (I use Shiva Access Manager www.shiva.com) will let you proxy to other authenticators like NDS, NT, SecurID. So in the future, if you replace the firewall, it will be less stress on the users. Fb

Apache

[Chris Hiner]

How about using Apache's proxy support.
http://www.apache.org/
Runs under NT, and many *nix's.

It's not just for webserving anymore.

Bordermanager

[beerygaz]

I presume you are using Bordermanager as your proxy? You could add an OU to you NDS tree and create users and then just use the Bordermanager Java login applet to authenticate them without them having to log in to NDS in any way.

Try NT Proxy

[Gazorgan]

You can us NT Proxy server 2.0 in a non-authentificated mode. Works okay, and the proxy server can be behind the hardware firewall. It can also proxy on the same subnet, but I advise 2 different IP's. I used to have a Border manager setup, and would use the NT proxy server for setups/tests/public access terminals where they didn't login. I also ran cyber-patrol on the NT with no problem. It's not as robust as other's, but you can set it up on a little P200 and it's fine for the users that can't authenticate on NDS. You can also do the 'nix solution, just depends on what ya know. -Bryan

Squid works well for me

[ikekrull]

My gateway is a linux machine running an ipchains-based firewall/NAT and the Squid proxy.

All internal traffic on port 80 is redirected through Squid (on port 3128) via ipchains, and Squid can then use its redirector to filter and/or redirect URLS. - in my case the redirector is a simple perl script that simply uses regular expressions to match and replace URLS.

You also get caching with squid, of course.

So you could use it to filter anything that didn't match the appropriate pattern and redirect that request to a 'sorry you can't access that site' page on your intranet.

It also lets users behind the NAT gateway use the same URLs to access web servers as they would outside the firewall.

Squid also has authentication features i believe, but i'm not familiar with them.

Client setup in completely transparent, the browser doesn't even know its talking to a proxy server.

I couldn't be happier, since it means that MS Proxy Server 2 is going on its long-awaited trip out the window.