Authenticated transparent proxy

  • So I have read in these forums that "it isn't possible" to do transparent authenticated proxying. This is in fact wrong. There is a way, and I know it is possible because Sophos UTM does it and I am going to give you what little I know of how it works so pfSense can look into it.

    1. Listen for the authentication using a "magic IP" of This address is commonly used for special services such as wireless controller management so is unusable by any actual internet routing.
    2. PCs must have fwhostname.mydomain.ext entered in IE as a local intranet zone or the computer fails to authenticate using NTLM.

    What you see when doing this is the browser redirect to the hostname above, use NTLM to authenticate with the firewall, and then the browser is sent to the originally requested page.

    Why am I telling pfSense this? I would LOVE to see better integration and easier management of proxying and content controls enabled in pfSense. As it stands it's just way too difficult to get working and when managing numerous clients is way too difficult to support and provide the filtering solutions and troubleshoot filtering issues.


Log in to reply