Hi all,

is possible to configure Untangle to act as a cached proxy server (with web filter capability)? I wouldn't less the possibility to cache user contents and speed-up internet connections.
Thanks in advance.

Bye,
Alf.

Untangle can do web filtering, but does not currently do any caching.

Thanks for the reply.
But so can I configure Untangle as proxy in the clients' browsers?

Untangle is a transparent proxy - meaning you don't have to change any settings on the browser. :)

Untangle will transparently catch any web traffic going through the server and process it (spyware, virus, web filter, ips, etc)

What do you mean by 'transparent proxy'? A transparent proxy is still a proxy server that acts as middle man that the routing redirect to it (any web port 80 -> redirect to transparent proxy [plus content filtering plugin db] -> outside network). There is still a proxy setting port if Untangle is acting as 'transparent proxy'. What is the port number of untangle transparent proxy?

When I used outside anonymous proxy setting that uses port 80. I can get away from the filter so it doesn't seems like it's being filter web traffic.

There is no port number. It has no choice but to connect through the Untangle server, unless it is connected on a subnet where there is no Untangle server.

In order for traffic to get out of the network, it must go through the Untangle server (same subnet, bridge mode). Traffic get to Untangle internal interface, how is Untangle detects and filter its traffic? Where is the transparent proxy filter its url request comparing with the urlblacklist.com database?

How can I get away from the filter when I set my browser to use public proxy servers with port 80? It's web traffic url request, it get to Untangle internal interface (LAN), by pass the filter and I can view www.playboy.com or any blocked sites. How can Untangle let the web traffic to by pass (both proxy use port 80 & url requests go to regular HTTP websites port 80).

If I'm not wrong, Untangle is filter at the application layer but not network layer.

sunflower, it transparently catches all tcp sessions and processes them inline.

If you're using another external proxy, untangle will not process the traffic as http (because its SOCKS or TOR or whatever you are using).

You can control these type protocols using Protocol Control.

Thanks dmorris.

I just turn the Protocol Policy on for both SOCK and TOR and using the proxy server 202.105.182.18 IP that is working today. I'm still able to browse the web. Checked with tcpdump traffic and it's just a normal .www traffic request.

15:20:16.773450 IP dhcp-172-17-4-56.mycompany.com.5781 > 202.105.182.18.www: P 924:1729(805) ack 439 win 6432 <nop,nop,timestamp 794037993 1975417744>
15:20:17.763340 IP dhcp-172-17-4-56.mycompany.com.5781 > 202.105.182.18.www: P 924:1729(805) ack 439 win 6432 <nop,nop,timestamp 794038983 1975417744>
15:20:18.208319 IP 202.105.182.18.www > dhcp-172-17-4-56.mycompany.com.5781: . ack 1729 win 9230 <nop,nop,timestamp 1975434592 794038983>
15:20:18.734870 IP dhcp-172-17-4-56.mycompany.com > 239.255.255.250: igmp v2 report 239.255.255.250
15:20:18.897205 IP 202.105.182.18.www > dhcp-172-17-4-56.mycompany.com.5781: . 439:1887(1448) ack 1729 win 9230 <nop,nop,timestamp 1975435239 794038983>
15:20:18.897279 IP dhcp-172-17-4-56.mycompany.com.5781 > 202.105.182.18.www: . ack 1887 win 8688 <nop,nop,timestamp 794040117 1975435239>

See my attachment images.

FYI that that proxy server is just a squid cache proxy server. I don't think squid-cache is SOCKS proxy.

After turned on the Protocol Control to block SOCKS 5 proxy, now I can not access to Yahoo Mail b/c it's being redirect by Yahoo to their SOCKS server and Untangle blocked it.

This telling me that Untangle does blocks SOCKS protocol properly. But using external proxy server as I described with previous posts still allow me to by pass the Web Filter. That proxy server is not SOCKS server. It's web caching proxy server using squid-cache.

I was also able to use the proxy you mentioned earlier from behind two Untangle boxes. I think it will be a neverending game on proxies...we block it, you make a new one...we block it...ad nauseum.

What's a purpose of having a web filtering when user can get away with it. I was first thought of having one in the production enviroment but I'm losing interest on filtering web since it's too easy to by pass it. Users (employees, kids, teens, etc...) can find way to go around just by digging Goggle.com

Not to mention that if they have the 'Circumventor' proxy setting at home or they use the SSL proxy (https://www.stupidcensorship.com/) to browser the web from anywhere. Can't really control it.

I think that the primary purpose is that most people are not as determined as you have been to find a loophole. The proxy that you mentioned today was the first one that I had been able to use successfully...the rest had been blocked by the time that I tried them. This one will probably be blocked very soon as well, and another will take its place.

If employees/users want to by pass the filter while working in the office, they just setup their own proxy server at home. When they come to the office, they just change their setting to their own home proxy server. That proxy server will never get to the database and will never since it's private own proxy server. What can you do?

If it's package filtering, why can you filter traffic when it's detected that it's not normal url web request but it's proxy request. There must be some way to block it.

I just went through a 14 pages white paper 'Meeting the Challenges of Web
Content Filtering' written by SmoothWall Ltd. All of the points that I have been discovered are very well documented on this white paper. If you are interest, please take a look at this: http://dansguardian.org/downloads/content_filtering_challenges.pdf

URL-Based content filtering is not good enough for content filtering. It can very easy to bypassed.

Want to access to www.playboy.com --> This is a simple bypassed the web filter: http://216.163.137.3/ [no proxy need - just direct browsing through Untangle web filter with Pornographic turns on].

I love Untangle security gateway but there are a lot of works that need to work on. It's a challenges.

I personally don't care for Dan's Guardian. It is a resource hog and I would prefer to use my resources for other things.

I think you should consider setting GPO's to disable users from configuring Proxy Servers. Restrict them from using other browsers by setting software restriction policies. If your not in a domain environment then you can just use local policies to accomplish the same.

Or, alternatively, set up another server that has dans guardian on it in front of the users you are concerned with and...voila! :)

Silver Bullet, sounds like you're Windows shop user. Group Policy only works when you are using AD and it's limited on IE. You still need to modify on each of the machines with Firefox, Netscape, Mozilla, SeaMonkey, Safari, etc... there are tons of other browsers out there that you don't have the ability to disable its connection setting.

Also, it doesn't work since we are open source (Linux, Solaris, Un*x, etc...) shop and you can do that with disable setting.

Setting up another box with Dan Guardian is the same since it's only URL database just like the urlblacklist.com database. What missing are IP url-based filtering, keyword filtering, dynamic content filtering, etc... Untangle is good but it's need more features to fully block with web filtering. Again, it's a challenges.

Silver Bullet, you lead me to check out the new features of DansGuardian. It does have a lot of features... yeah... voila :)

Well, no....group policy is not dependent on Active Directory. You can also implement local group policy. Go to start > run and type gpedit.msc.

Your screenshots reflect that you are using Windows XP is why I suggested group policy. But, if you are a full blown open source shop, then a Dan's Guardian server should serve your purposes.

You could also only allow your DNS server to pass DNS traffic through Untangle. Then, create stub zones on your BIND server for only the domains you grant your users to use.


Good Luck

Silver Bullet, it's good catch with the screenshots. We only use back-end servers (samba, sendmail, imap/pop, etc...) Microsoft license is out of the question.

Group policy only make sense when you are using it globally to apply to the whole domain. If you use it with local group policy, you must edit on each individual machines (don't make sense if you want to edit 200 or more machines).

Use local DNS to limit access domains create a blanket policy will make more work for IT. How many domains that you could allow and create on your own domain? This limitation is not work for business. For you children, yet you can do it.

Wow Sunflower! I hope you don't get offended but I feel sorry for you. Honestly!

200 workstations operating in a workgroup environment. All with the ability to install whatever they want. You have your hands full.

Sounds scary but it's not. All machines are under the Samba domain controller and NIS. Samba works as NT domain and it doesn't support Group Policy. Most are Engineers & QA so they need full access to the system to get the work done and each has more than 2 machines.

Even if you restrict with installation, there are program/browser that don't need to have write into MS DLLs such as 'Portable Firefox'. You can put into your own folder/directory or just a USB drive.

I know you said that you didn't want to set policies on each machine individually, I don't blame you, but you could create software restriction policies using hash rules and they wouldn't be able to run portable fox or anything else that you didn't want them to run, regardless of it's location.

Silver Bullet, you sounds like an MS pro. Are you MCSE certified :)?

I'm not sure that you mean to set Software Restriction Policy with hash rule using Microsoft Group Policy or just a company restricted policy? If it's MS, you still need to edit on individual machine. But it's a great idea to prevent user execute outside of restriction area. Great point.

However, this don't work on Un*x enviroment. If it's paper policy and you believe that users will follow it, then you don't need a security gateway in place.

Silver Bullet, it's good catch with the screenshots. We only use back-end servers (samba, sendmail, imap/pop, etc...) Microsoft license is out of the question.

Group policy only make sense when you are using it globally to apply to the whole domain. If you use it with local group policy, you must edit on each individual machines (don't make sense if you want to edit 200 or more machines).

Use local DNS to limit access domains create a blanket policy will make more work for IT. How many domains that you could allow and create on your own domain? This limitation is not work for business. For you children, yet you can do it.
you can push out local policy for the workstations from gpedit on the domain controller.

hey hey hey..
why the topic has change form the proxy to the MS policy?
back to the topic guys..
how to use proxy on untangle? if untangle can't do that just say..untangle can't support that for right now...
i also looking for proxy setting on untangle, i wish i can use untangle and change my IPCOP but without proxy it make untangle limited.
if so i should change all the client to not use proxy on port 8080..it seems diffilcult..

Read back through the thread and you will see that it clearly doesn't act as a proxy.