Group Policy - Proxy

[bsbozzy]

Quote:

Originally Posted by elvis

Can you guess what Bluecoat is built on?

I know what it is built on....

[azron]

Quote:

Originally Posted by elvis

Can you guess what Bluecoat is built on?

Hope and dreams?

Seriously, most of the commercial proxies are built on top a *nix based OS.

Not many wish to reinvent the wheel or pay MS a royalty!

[elvis]

Quote:

Originally Posted by azron

Seriously, most of the commercial proxies are built on top a *nix based OS.

That's the OS. Now guess the Proxy application software.

[colmaz]

Quote:

Originally Posted by Bloods09

Hi Guys,
at work we use group policy to specify proxy settings. At times, we need to disable the proxy (Ie: when users travel and use the qantas lounge). Anyway, after unticking the Use proxy server box under internet settings - Group policy will not reapply this setting. If i manually run a gpupdate /force however - it works.

On WinXP and newer, Group Policy will only refresh a GPO if the GPO has been updated, i.e. there is a newer version of the GPO. Hence why the gpupdate /force needs to be done.Reference: Background Processing.

I think the Note about halfway down this page gives a way around this

Quote:

Originally Posted by Slidey

There is a default timeframe that group policy gets refreshed. I think its 4 hours.

90 mins + up to 30 minutes is the default Periodic Refresh interval. This however, is not a full refresh of policy, only a partial refresh and only if the GPO's have incremented version from their last refresh, I believe. Some settings are not included as well such as Folder Re-direction (which can take up to 3 log-ons to apply is a local profile already exists)

Quote:

Originally Posted by Slidey

usually a reboot will also give it a refresh

See above

Quote:

Originally Posted by gdunkley84

Make sure the GP that has the proxy settings in is set to enforce. Then a gpupdate /force should re-apply

NEVER set to Enforce. Enforcing GPO's is lazy and shows a lack of understanding for designing a GPO solution.
The issue here is the fact the client is not doing a full refresh of the policy.

Quote:

Originally Posted by Grunner

Without first understanding the OU structure, GP priority list and settings within the GP for the proxy settings, I would not recommend this action unles the GP explicility defines proxy settings only.

Correct, in that Enforcing a GPO should not be recommended without an understanding of the OU and GPO design for the network.

[azron]

Quote:

Originally Posted by elvis

That's the OS. Now guess the Proxy application software.

Squid seems popular; comes up typically when 'assessing' open ports these devices have open. Apache used for Webmin type duties. Even seen HAproxy once.

Most choose this path as WC3 type logging can be easily ported off box to almost any log/event aggregation utility without much data manipulation.

[elvis]

Quote:

Originally Posted by azron

Squid seems popular.

You've got it.

Linux+Squid happily supports regular and transparent proxies with AD (or anything else) authentication. If you want to be really crazy, you can even use Apache with mod_proxy and mod_cache, although Squid is a million times more efficient.

I've set that up dozens of times over the last few years for businesses big and small. Sometimes where nothing was in place previously, and other times to replace MS Proxy Server and ISA boxes that were end of life.

Typically I also throw in a bunch of regex based blacklisting to kill known advertising and SPAM portals, much to the delight of both users (whether it be for no ugly ads on their browsers, or because 80%+ of web browsing bandwidth these days is in non-cacheable advertising).

As mentioned, logging is standard, and trivial to parse either with a few basic shell scripts, or any one of a million reporting tools ranging from free to insanely expensive.

[azron]

Quote:

Originally Posted by elvis

...or because 80%+ of web browsing bandwidth these days is in non-cacheable advertising).

Most of the web is non-cachable these days.

How many times I see a MISS in squid logs far outweighs the HIT. Well, that's the log options for cache hit success I use. Most HITs are a result of large file type downloads, PDFs typically, that are kept that pass AV scans.

[s4mmy]

Code:

//Automatic proxy script.
function FindProxyForURL(url, host)
{
	//Connect directly if the destination host is an internal address (10.128.*.*) or if the url matches the CAG addresses.
	if (isInNet(host, "10.128.0.0", "255.255.0.0") ||
			isInNet(host, "172.16.0.0", "255.255.255.0") ||
			isInNet(host, "192.168.0.0", "255.255.0.0") ||
			isInNet(host, "127.0.0.0", "255.0.0.0") ||
			shExpMatch(url, "https://url.yourinternaldomain.com.au"))

		return "DIRECT";
	else
		//Connect through a proxy for all other connections.
		return "PROXY proxy.your.domain.com:8080";

Just an example.

[elvis]

Quote:

Originally Posted by azron

Most of the web is non-cachable these days.

How many times I see a MISS in squid logs far outweighs the HIT. Well, that's the log options for cache hit success I use. Most HITs are a result of large file type downloads, PDFs typically, that are kept that pass AV scans.

Squid has a number of cache replacement policies that can be tweaked. Many of the commercial options don't allow direct modification of these. Some do, and some let you hack the squid.conf directly, but most go with the "lru" default which is pretty crap.

"heap GDSF" is best for high hit rate, at the expense of bytes. "heap LFUDA" is best for high byte rate, at the expense of hits.

Generally speaking, I set disk to "heap LFUDA" and memory to "heap GDSF" to get a nice mix of both (as generally you want a high hit rate out of memory objects in order to minimise latency, and a high byte rate out of your disk to minimise bandwidth utilisation on larger binary objects).

From the default config file:

Quote:

# The heap GDSF policy optimizes object hit rate by keeping smaller
# popular objects in cache so it has a better chance of getting a
# hit. It achieves a lower byte hit rate than LFUDA though since
# it evicts larger (possibly popular) objects.

# The heap LFUDA policy keeps popular objects in cache regardless of
# their size and thus optimizes byte hit rate at the expense of
# hit rate since one large, popular object will prevent many
# smaller, slightly less popular objects from being cached.

# Both policies utilize a dynamic aging mechanism that prevents
# cache pollution that can otherwise occur with frequency-based
# replacement policies.

For any of the "heap" methods, remember to up your max_size variables, as the defaults in squid are extremely conservative.

[Ding.Chavez]

Quote:

Originally Posted by elvis

You've got it.

Linux+Squid happily supports regular and transparent proxies with AD (or anything else) authentication. If you want to be really crazy, you can even use Apache with mod_proxy and mod_cache, although Squid is a million times more efficient.

How does this work for remote/roaming users? Or do you force them back into your network (vpn etc) - That would suck for a user in W.A on a 3G card,....

[tensop]

what's the go for transparent proxies in a WAN?

Eg let us say we have wan site #1, hosting various web based resources - the exclusions go in to squid for local stuff, plus anything hosted inside the WAN

but what about things that arent web services.. such as an exchange server, or rdp/direct ftp connections/torrents etc hosted at site #2/site #5/ site #83

is this where iptables comes in to play to forward anything not on port 21/80/443 direct out? so effectively the squid box with iptables becomes a router in the lan?