Clueless about install
-
Which particular part are you having trouble with?
-
Passing on the requests out the wan interface on to the corporate proxy is the main issue at this point I believe.
Here's my config..
interface setup: (via shell)
LAN vmx0 xx.xx.192.228/22
WAN vmx1 xx.xx.196.240/22 WAN uplink gateway xx.xx.196.1Advanced setup:
networking: allow ipv6 - yes
misc: proxy url- proxy.corporatesiteproxy.xxxx.com
proxy port- 8080
username/password: blank.. no authentication needed.general setup:
hostname - labsvmsense
domain - blah.xxxx.com
dns1 - xx.64.64.54 GW_LAN - lan - xx.xx.196.1
dns2 - xx.64.64.53 GW_LAN - wan - xx.xx.196.1squid: enabled. keep settings, LAN, Allow users on interface, resolve dns ipv4 first
proxy interface(s): LAN
proxy port: 3128
local cache: heap lfuda
acl: allowed subnets- xx.xxx.184.0/22 (test client on this subnet with proxy set to labsvmsense.xxxx.com:3128)SquidGuard: disabled
everything else is default to the best of my recollection.
It's now resolving and working for intranet traffic but is taking almost 10 seconds before a site appears.
It will not show anything internet.Due to corporate policy, I cannot ping, tracert, nslookup, etc anything internet (ie, ping google.com fails from a regular pc through the corporate proxy).
in order for pkg manager to get pfsense updates, I did a setenv to the root's .cshrc file which points to the same proxy as specified in the first few lines of this msg.
On the old forefront server, there's a section in the Networking called Web Chaining which says basically to forward all traffic on to the corporate proxy address. That's the part that I think I'm missing with pfsense.
-
Is there a reason you couldn't just set the client proxy to be the corporate one and cut out the squid middle man?
-
There's certainly departments that are denied nternet access except for the whitelisted URLs.
-
Fair enough.
It troubles me that pfSense can't even get through your corporate proxy to get its packages. What are you using for DNS with pfSense? Can you resolve proxy.corporatesiteproxy.xxxx.com via Diagnostics - DNS Lookup?
-
corporate dns. yes, the corporate proxy resolves. It appears everything is working on the intranet side.. it's like pfsense is missing a part of the config that tells it to pass on to the corporate proxy. Originally, the workstations/clients point to the corporate proxy (or the old forefront tmg server) via the internetExplorer/systemwide proxy setting but I've wish to point those systems to pfsense, have it filter for whitelist, then pass on the acceptable requests to the corp proxy.
-
Hmmm, kinda confused here. Messing with the pfSense's proxy settings here will do nothing for the clients. It will only proxy the HTTP/FTP traffic from the firewall itself. You should configure an upstream proxy in Squid (the Remote Cache tab).
-
OK, does the corporate proxy need to be told to allow your current pfSense WAN IP to access it?
-
it shouldn't since it's in the same normal allowable range. If I had assigned that WAN ip to a standard system and set the proxy to the corporate then it'd go through just fine… and it'd go through without user authentication as well.
I didn't have the remote cache setup so that is now done (general options = allow miss (also tried adding no tproxy); heirachy=parent, default method).That was the catch. ;D standard http traffic is now working. https is not, so I'll enable and setup Squid-General section 'SSL Man In the Middle Filtering' and let you know..
update: Imported my corporate trusted root cert, set the port to be the same as standard traffic (3128) and that was a no-go. accepted the default 3129 and that still didn't work.
clients have always been setup to use the same proxy/port for http/https and I currently have the test workstation set to point to the single port.
-
No, you cannot have the same port for HTTP and HTTPS.
