Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

echowings

@khushal:

This works for SquidGaurd too with minor changes… Good Work..

I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).

thanks
KsN

Hi, my friends , I found that dansguardian is not working well when many person online using dansguardian as proxy. So i switch to squidguard. But i 'm not successfully to using ldap to auth  squidguard  against AD. Could help me to show how you configure it ? 
Thank you very much!

Fabusch

Hello Community,

Many thanks to wheelz for that strange ;D and cool workarround. Its working very very well, with some corrections ;-)
First of oll:
Im working as a Sysadmin in several schools (high- and professionalschool) in South Tirol.
Such a long time ago, I am interesting in Linux/Unix products to protect my networks or also only to test some cool stuff, thats not possible f.e. with windows :P. But now i am having trouble with things that exactly this post deals with and were im now stucking just some weeks. The general problem is, that the windows firewall product (known as ISA/TMG) will no longer suported in the future. Therefore i want to try to setup somthing similar with a  Linux/Unix System.
How i have allready said, this workarround is working pretty well, the only thing i need to correct is:

• 12. d) smb.conf –> insert there the command: winbind cache time = 60
    idmap uid = 10000 - 20000 (enable for testing)
    idmap gid = 10000 - 20000 (enable for testing)
• 17.) the Quote which must be inserted in the "Custom settings section" in the General tab of the Proxy is right and works, but only of you write it directly with the vi in the shell into the squid.conf (/usr/pbi/squid-i386/etc/squid/squid.conf) otherwise, some characters disappear ;-)
• 20. b.iii) the username must be in this format to work properly: username@domain.local

Now my problem: With the Microsoft ISA/TMG i can configure, that for example users(Students and Teachers, in my case), that are member of the Group "Internet" (created under Users.domain.local) can access the Internet. If they are not member of this group, they can never access the internet. Therefore i have allready written a tool (little .exe file), which with I or the teachers can put the students to this group (if they need the Inet during there lession) and after the lession the teachers put them away from the group Internet.
Now i am stucking to realize this with my pfsense box. I have googled now some weeks but I wasn't able to configure this (i just have had some nightmares about this problem and now I am at the point to go totaly insane). I tried to ad the squid_ldap_group feature (which is working with my Server 2008 R2, when i try it manualy in the shell) with the appropriate acl's (i dont now if they configured in the right way because the search results are quite confusing and are also conflicting themselves). I also tried IPFire but its always the same, im not able to configure it in this way, that when the users are member of this group, they can access to the Inet.
Maybe someone can give me a hint ore some good document were I can work further.

Kind regards and merry merry Christmas to everyone!!

lucapsg

Hi all,
first of all, thank you again for the wonderful work.

I configured everything without problems on pfsense 2.0.3 and it's fine.
It works with 2.1?
Someone is using it?

wheelz

I am on version 2.1 and am using it fine.  I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.

percyiii

Loaded the upgrade because of the openssl scare..
Dans now at 2.12.0.3_2 pkg v.0.1.8
Says no file /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
So i loaded one from another box..
now says
auth_plugin_load() returned NULL pointer with config file: /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
Any ideas?
THX

percyiii

Have 3 boxes running this configuration.. Works great except… after heavy usage from 75 users.. The box goes to a crawl..
We are using
ESXI 5.1
all boxes up to date.
packages
Dansgaurdian
Shellcmd
Squid3
sarg

2 of 3 have separate virtual drives for the cache,logs, and sarg... sym linked ..
the 3rd has a 40G drive..
All do the same thing.
during peak hours they get real slow...
Only way seems to work is pair two together on the domain dns..
ie two entries for proxy.here.pvt one x.x.x.x and one y.y.y.y

Am going to try 2 real boxes.. but having a hard time trouble shooting the slowness...
Restarting squid seems to help...

tried setting
squid cache file system to aufs seems no change
vfs.read_max=32 to vfs.read_max=128 in System -> Advanced -> Sytem Tunables no change??

any ideas..

marcelloc

Look for squid tweak on freebsd and set it on system tunable.

What max client value are you using on dansguardian?

percyiii

@marcelloc:

Look for squid tweak on freebsd and set it on system tunable.

What max client value are you using on dansguardian?

Ok this may be it.. But where is the max client value set? In the GUI.. Is this the Min/Max children?

percyiii

@percyiii:

@marcelloc:

Look for squid tweak on freebsd and set it on system tunable.

What max client value are you using on dansguardian?

Ok this may be it.. But where is the max client value set? In the GUI.. Is this the Min/Max children?

Ok I had the client IP's default which should be 0 So I set it to 0 I also set min maxchildren 32/180 the spare to 8/64 and age set to 10000 will see if that helps…
THX for heading me in a better direction..

marcelloc

set clients close to 1024. In some cases I use 8k users to get a better performance(it depends on compiling package to support it, so keep client max values under 1024).

IIRC, you can check if processes are near configured limit by using ps ax | grep dansguardian | wc -l

iMongui

General Tab -> Config settings section –> Auth Plugins = Proxy-Ntlm

When I activate this feature, my service goes down :/ I only can work with Auth Plugins = None.

Anyone can help me? I only need to activate this feature, I dont need more because i did all steps and now is working but I dont have AD support :/

evanderv

@percyiii:

Loaded the upgrade because of the openssl scare..
Dans now at 2.12.0.3_2 pkg v.0.1.8
Says no file /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
So i loaded one from another box..
now says
auth_plugin_load() returned NULL pointer with config file: /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
Any ideas?
THX

I am having this same problem also.  proxy-ntlm.conf was never put into the authplugins on the latest dansguardian from pfsense.

percyiii

Ok…..
1. Install the broken package with the package manager.

2. from the command line "pkg_info" you will see dansguardian 2.12.0.3_2 is installed.

3. from the command line "fetch http://files.pfsense.org/packages/amd64/8/All/dansguardian-2.12.0.3-amd64.pbi"

4. from the command line "pbi_add --no-checksig -f dansguardian-2.12.0.3-amd64.pbi"

5. from the command line "pkg_info" you will now see dansguardian-2.12.0.3_1 is installed.

Then go to /tmp and deleted the two dansguardian files..
Go and save the settings pages in Dans..
BUTTT...... Now the web upload is broke... I fix the web upload.
If I fix it like below... It dies again.. because one writes over the other...
https://forum.pfsense.org/index.php?topic=58442.msg409913#msg409913.

Any ideas?

endyrx

Hi guys. I successfuly install eveerything. In first moment i decide everything is ok. FW are binded to my wind 2003 domain wbinfo -t/-u/-g show me everything - users, groups etc. etc. But tail -f /var/log/dansguardian/access.log show me only ip not users id. Also my users wont populate on Services > Dansguardian > Users. I see only checkmark there which is unchecked right now. Also i think Dansguard does not watch LDAP group i chose for internet access. I test with a normal user - no metter if the user are in or out of the groupe he have internet.
Any ideas ?

echowings

Okay, and please try this command:

 tail -f /var/squid/log/access.log 

endyrx

Somehow i am able to get authenticated on squid also on dansguard
this is my squid log
1401128431.777      0 192.168.250.70 TCP_DENIED/407 4861 GET http://www.dir.bg/my/comments/count.php? - NONE/- text/html
1401128431.780    20 192.168.250.70 TCP_MISS/200 612 GET http://r5.dir.bg/passimg.php? bilyanastefanova DIRECT/194.145.63.27 image/gif
1401128431.790    14 192.168.250.70 TCP_MISS/200 522 GET http://www.dir.bg/new/dirfp_weather_new.html? bilyanastefanova DIRECT/194.145.63.12 text/html
1401128431.791    15 192.168.250.70 TCP_MISS/200 445 GET http://www.dir.bg/new/dirfp_weather_block.json? bilyanastefanova DIRECT/194.145.63.12 application/json
1401128431.793    16 192.168.250.70 TCP_MISS/200 243 GET http://www.dir.bg/new/usd.txt bilyanastefanova DIRECT/194.145.63.12 text/plain
1401128431.804    27 192.168.250.70 TCP_MISS/200 695 GET http://www.dir.bg/JSAJAX/get_user_info.php? bilyanastefanova DIRECT/194.145.63.12 text/plain
1401128431.836      5 192.168.250.70 TCP_CLIENT_REFRESH_MISS/304 298 GET http://i.dir.bg/dir5/dir-new/html/img/vremeto-small/pda_20.png bilyanastefanova DIRECT/194.145.63.18 -
1401128431.838    126 192.168.250.70 TCP_CLIENT_REFRESH_MISS/200 3656 GET http://ni.dir-i.net/esspresso/images/calendar/cells.png bilyanastefanova DIRECT/194.145.63.18 image/png
1401128431.842    62 192.168.250.70 TCP_MISS/200 676 GET http://www.dir.bg/my/comments/count.php? bilyanastefanova DIRECT/194.145.63.12 text/html
1401128431.966    155 192.168.250.70 TCP_MISS/200 309 GET http://smart.dir.bg/mobile_check.php? bilyanastefanova DIRECT/194.145.63.11 text/html

and this is dansguardian log
1401128431.388    19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.388    19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini_2&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.390    23 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_corner bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.718    33 192.168.250.70 TCP_MISS/200 101 GET http://r5.dir.bg/utb.php?rnd=1287221401128435608&ref=http%3A//www.dir.bg/&reff= bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/javascript
1401128431.769      4 192.168.250.70 TCP_DENIED/403 0 GET http://www.google-analytics.com/__utm.gif?utmwv=1.4&utmn=98558728&utmcs=utf-8&utmsr=1920x1080&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=13.0%20r0&utmdt=Dir.bg%20-%20%D0%91%D1%8A%D0%BB%D0%B3%D0%B0%D1%80%D1%81%D0%BA%D0%B8%D1%8F%D1%82%20%D0%98%D0%BD%D1%82%D0%B5%D1%80%D0%BD%D0%B5%D1%82%20%D0%BF%D0%BE%D1%80%D1%82%D0%B0%D0%BB!&utmhn=www.dir.bg&utmhid=1711608986&utmr=-&utmp=/&utmac=UA-436010-11&utmcc=__utma%3D95319433.1662311826.1401125196.1401125196.1401128436.2%3B%2B__utmz%3D95319433.1401125196.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)%3B%2B bilyanastefanova DEFAULT_PARENT/127.0.0.1 -
1401128431.792    19 192.168.250.70 TCP_MISS/200 501 GET http://www.dir.bg/new/dirfp_weather_new.html?ts=0.17504705565709982 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.794    20 192.168.250.70 TCP_MISS/200 13 GET http://www.dir.bg/new/usd.txt bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
1401128431.806    30 192.168.250.70 TCP_MISS/200 7 GET http://www.dir.bg/JSAJAX/get_user_info.php?enc=utf-8&now=0.004187991262348867&=1401128435698 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
1401128431.843    66 192.168.250.70 TCP_MISS/200 4 GET http://www.dir.bg/my/comments/count.php?jnl_id=3&ctype_id=1&topic_id=12251378&list=all&ran=0.153130255537684&=1350479627602 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.967    157 192.168.250.70 TCP_MISS/200 79 GET http://smart.dir.bg/mobile_check.php?callback=jQuery17105069666413485266_1401128435330&url=http%3A%2F%2Fwww.dir.bg%2F&method=post&_=1401128435737 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html

But i still can't denie connections for users who is out of my internet groupe. Everyone have an internet right now.

fedetehue

@wheelz:

I am on version 2.1 and am using it fine.  I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.

How did you create the firewall and nat rules of steps 6 and 10? I'm on 2.1.3 and I'm stuck at that. Thanks in advance.

fedetehue

10.  Services –> Firewall
  a.  Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
  b.  NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)

Ok, sorry for bumping this thread again, but I need help with this part. Could someone post screencaps of how would the NAT and Rules gui screen would look when you set up things on step 10? I tried to do it and I locked myself out of the webgui. I need DG to filter HTTP and HTTPS traffic.
Thanks again to anyone that helps me with that.

sowen

First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

or google "Squidtrust"

you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.

read the docs for more detail.

dig1234

This is certainly easier to setup and I am impressed with your solution. However this model does not appear to have any protection from easily being spoofed by a rouge user? ie a user could claim to be someone they are not.

@sowen:

First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

or google "Squidtrust"

you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.

read the docs for more detail.