@doktornotor:

I have already told you 3 times that it's a leftover from Squid3 before 0.3.6. Remove it and move on.

I always did. Thanks.

thanks for this tweak.

it's ok when a make a search directly from www.bing.com.

but i have a problem when i make a search with the integrate search bar in star menu in windows 8 or 10.
it 's redirect to www.google.fr but with bing.com and some URL parameters.

so i have and ssl certificat error that say me URL is not the same as URL in certificat.
and finaly i have "404. That’s an error."  message from google that's say me page not found with this parameters :-(

Hi!

You can use Shellcmd package to do it.

Not really sure what "burn out" are you talking about. These days, the SSDs will handle hundreds of TiB of writes. If you want the thing managed by the package, simply mount things under /var/squid. You can still change it to whatever, just don't expect those dirs it to be maintained by the package (you'll get self-explanatory log warnings about that.) One accident with recursively changing permissions on / has been just enough.

I actually managed to get it going by deleting all of the advanced feature .conf

Stop&Start antivirus service and everything's fine. I must admit I didn't further investigate the issue but it's worth a try.
By the way, great job doktornotor, seriously.
Bye

Well… was about to suggest that. LOL. :)

IT IS DONE  ;D

The old TMG is now replaced with a PFsense box.

Two things i miss from TMG though

The External computer set. Makes creating firewall rules so much easier. Just do an allow anything to external and you got unrestricted internet access but no access to other networks on the "inside" like opt The grouping functionality. In tmg you can create a group and then collect rules in the group. For example i can place all rules for my webservers in one group and have the mail servers in another. Makes troubleshooting much faster since i know i only have to look in the mail group when troubleshooting mail

Some questions:
-Do you want all 4 site's to be reachable using https? (if its only required for 1 site there is no need for SNI or any other extra stuff..(
-Are you testing access to website2 from 'outside' a client or 3/4g phone on the internet? As when testing from the LAN you might actually be accessing the pfSense webgui.?. Though that would still not explain the redirect to website1..
-Is it possible to visit website2 over https on the current IIS configuration? (ignoring the certificate error.?.)

1- VMs seem like a rather big solution to a small problem (+licences)..
2- Haproxy would allow you to configure 4 different certificates one for each domain / ip.
You could even host all 4 sites on 1 external ip, in which case SNI is required to send the right server-certificate back to the client.
3- upgrade IIS of course technically possible, but might require a new windows version (+licence).
4- With the 'old' IIS version i think it might just be easiest to configure the webserver with 4 lan-ip's and change the portforwards to direct traffic to each of those ip's. Then also configure the 4 websites in IIS to bind to those lan-ip's. (you could also try with assigning different ports instead of 443 to the other https sites 1443 2443 3443, and forward traffic there, that would evade the multiple lan-ip requirement, but might lead the site to generate wrong url's containing the port.. something you would need to test.)

I would probably prefer option 4 with multiple lan-ip's or ports, if that isn't possible option 2 or even the combination of both :).

ok, found this:https://forum.pfsense.org/index.php?topic=88309.msg487607#msg487607

I've got it working. I have numerous subnet interfaces and because of that didn't see that the loopback interface wasn't enabled in dns forwarder. Don't know how it had been disabled as I doubt I unchecked it. Once it was added things started working fine. Umm, and yes if you want to utilize dnsmasq settings with explicit proxy then you need loopback enabled in either dns forwarder or resolver..

@Abhishek:

i find after disabled Snort on lan interface…

I'll be very glad if you could explain purpose of Snort listening on internal interface. There is something I don't understand here  ???

look at this…
but remember to move away from transparent proxy first  ;)  otherwise this will obviously not work  :P

Beyond the conclusion reached on the other thread (your settings are messed up), nothing else I could advise here. Read the FAQ, flush broken settings, flush the Squid dirs if the "Keep Settings/Data" feature doesn't work for you, reconfigure from scratch.

You also need Maximum Object Size set accordingly. No further assistance from me, this is dead end as noted above.

Sure it does  ;)

As you have now explicit proxy with (soon) authentication and profiling, wouldn't captive portal do the trick ?
Users will have to authenticate first at captive portal level and this will grant them for access through local FW.

@n3by:

@PikkonMG

Did you test it to see if it is real working or just pretend ?

Because on my config all services are working ( and av updated ) but download test fail - no alert triggered.

https://secure.eicar.org/eicar.com.txt

https://rtcamp.com/tutorials/mail/server/testing/antivirus/

@dok
A test button on interface will be more than welcome.

Yes it all works. If I go to eicar and try to grab any of the test files it stops it.

As you operating system supporting proxy.pac file is Windows, you will have to create such symbolic links using mklink command and create as many logical links as needed.

e.g.

mklink wpad.dat proxy.pac

will create a new (logical) file wpad.dat linked to proxy.pac
If you modify proxy.pac content, it will modify wpad.dat too.