Force Outbound HTTP to come from Proxy Server IP

mnestander · ‎11-28-2006

Here is my current setup:

I have several faculty machines who use the router as their gateway to

the internet. The ip is given to these machines via dhcp.

All of my student machines use this gateway, also, but web browsing is

forced to go through my proxy server via AD Group Policy.

This works fine.

What I need to do now is force all rogue laptop users (those not part

of my domain) to use the proxy server also. Right now when they plug

in they get the gateway address and out they go.

What I'm hoping to do is the following:

Assign a second ip address to my router (on a subinterface?).

Rogue machines get this ip as the default gateway (done via DHCP

scopes)

Tell the router that outbound 80,21,443 traffic on this subinterface

must come from the IP addy of the proxy server.

Public users will be told that they must configure their browsers proxy

settings to point to the proxy server.

In my mind, this scenario would work well, but I'm not sure how to

config the router. I understand that I can give g0/0 a secondary ip

address, but I seem to only be able to apply acl's to the interface

itself - thus leading me to believe I need to create a subinterface and

assign it another IP.

I actually tried this:

router# config t

router(config)# int g0/0

router(config-if)# int g0/0.1

router(config-subif)# ip address 192.168.254.154 255.255.0.0

% Configuring IP routing on a LAN subinterface is only allowed if that

subinterface is already configured as part of an IEEE 802.10, IEEE

802.1Q, or ISL vLAN.

Clearly I'm barking up the wrong tree here, or perhaps I'm just missing

some steps. Will my idea even work? Will I be able to apply outbound

ACL's to just this one subinterface?

My router is doing pretty much nothing else but routing between my core

switch stack and my ISP's router via g0/1

Thanks for any advice

Edison Ortiz · ‎11-28-2006

Mark,

You can accomplish this with route-maps.

Let's say your network is 192.168.1.0/24 and your proxy server is 192.168.1.254

In the router you would setup something like this.

interface g0/0

ip address 192.168.1.1 255.255.2550

ip policy route-map proxy

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 21

access-list 100 permit tcp any any eq 443

route-map proxy permit 10

match ip address 100

set ip next-hop 192.168.1.254

With this approach, you don't even need AD policy for the rest of the network. Everyone will be forced to go via the proxy in order to connect to ports 80, 21 and 443.

HTH,

mnestander · ‎11-30-2006

Ok, I think maybe I was not clear:

My proxy is a sideways proxy - plugged into the same switch as the router.

Internet

|

Router (192.168.254.254)

|

Switch -- Proxy Server (192.168.1.230)

|

Workstations (192.168.0.0/255.255.0.0)

All machines are DHCP clients The default gateway on all machines is set to 192.168.254.254.

Internet Explorer on student machines is forced, via AD group policy, to send http requests to the proxy server. My Faculty machines have no proxy setting.

I believe the solution put forth by HTH (thanks!) would force every packet that arrives at the router to be routed to the proxy server (which in turn would send it back to the router).

Just to reiterate, my setup works fine except if public laptop users plug into my network (which we allow). I want to these users to pickup a different default gateway (subinterface?) via dhcp scope (which we have figured out) - then apply an ACL to a subinterface.

Thanks again for your help!

tdrais · ‎11-30-2006

The problems is you cannot have 2 dhcp server running on the same lan segment. The user will accept whoever responds first. Even with a single dhcp server how would it tell the difference between users. All it gets is a mac address.

The subinterface stuff you had posted are basically one of the solution to your problem since they create multiple vlans. You now have the problem of how you dynamically assign users to a vlan.

One of the more common methods to do this is 802.1x. Your switches must support this option to use this. Depending on how you implement this you may also need to turn option on in the client machines. In effect you place unauthorised or unknown machine into a guest vlan. You could then restrict the guest vlan.

You could always use the brute force approach and give static ip's to the people who are allowed to bypass the proxy. You would then put in a access list that allows these ips and the proxy out on certain ports. Your guest people would be blocked until they configure a proxy server.

mnestander · ‎11-30-2006

We accomplish this using one DHCP server. We referred to the following docs:

http://support.microsoft.com/kb/240247/EN-US/

http://support.microsoft.com/default.aspx?scid=kb;en-us;235272

In a nutshell, we give the machines with no "class" set a different IP address as the gateway. We want the ACL on the router to be applied to traffic to THAT IP.

Again, our issue is not the DHCP setup - it's how to accomplish the subinterface ACL on the router.

Thanks for your reply.