Hi everybody,
I believe I already know the answer to this but maybe somebody can throw
me a bone and point out alternatives. This is not a pure Squid problem but
it involves http proxying. This is the situation:
Our security team is implementing a scanning system that checks Windows PC
for vulnerabilities and virus infections. Once a computer is identified to
be quarantined we use DHCP to put that machine into a restricted network
that is not routable. Our idea was that we use DNS on that network to
force any kind of web traffic to be directed to an info page that informs
the user that his/her computer is not up to standards and that they should
do a Windows Update and update the virus scanner definitions. The DHCP,
DNS, and the info page part work great. The problem now is, that we have
to provide a way for that machine to get to Microsoft's servers in order
for Windows Update to work. We thought that Squid would do wonders here.
Configure it as transparent proxy and make sure it considers the Host:
header. Tighten the access controls so that only that restricted network
can get out and only to *.windowsupdate.com,
*.windowsupdate.microsoft.com, and wustat.windows.com. Well, in theory
this is fine and dandy and would work if only it wouldn't be using SSL
down the road. That is pretty much a show stopper and we can forget about
the transparent proxy idea.
I know that we are not the only ones that are trying or tried to solve
this problem. Our network is all over the place and grew almost
uncontrolled over two decades, consisting of many, many subnets behind T1s
so that direct access to the internet for that purpose is pretty much out
of question (using NAT for example). So is WCCP or other things we could
do on router level. SUS or SMS is not going to work either because a) it
doesn't really have the entire repertoire of update packages and b) it
requires support from the client and c) we deal with personal computers
here that belong to the students and not to the organization. That would
work in a corporate world but not on our campus.
Anything else we could look into? Would contacting Microsoft do any good?
The only solution I have right now is keep the proxy but have the infected
end-user configure a proxy auto config script into his browser.
Thanks for any pointers, ideas, comments.
- Michael
Received on Tue May 11 2004 - 11:55:19 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:01 MDT