07-24-2013 03:00 AM
Hi ,
i try to forward my wifi mobile users http request to the proxy squid.
i have configured the proxy squid to transparant mode (port 80)
To the firewall i have 3 zone : LAN (port 1) , DMZ (port 3) and INTERNET (port2)
the wifi mobile users are in zone "LAN" and my proxy squid is in zone "DMZ".
When the wifi mobile users want access to internet, the request must be forward to the proxy squid who must send the portal captive to the client for an authentication
How i can make this, i've read most posts but I do not manage to make what I want
the solution is to create PBF ? a NAT ?
Thanks for your help.
Best Regards
Nicolas
07-24-2013 06:30 AM
Good Morning,
Is it that for the first time only that the wifi users will authenticate against the proxy squid, and once they are authenticated, will they talk on HTTP/ HTTPS with the other websites and bypass talking to the squid proxy? Or is the proxy squid server acting as a proxy server for any HTTP/ HTTPS requests that the mobile users attempt opening connections for?
If its the latter, then all you need is a policy from LAN to DMZ for the HTTP traffic to reach the proxy, and then a rule from the DMZ to the INTERNET for the proxy to open the connection on behalf of the mobile user. If the proxy server has a private IP address, and is on the same subnet as that of the firewalls DMZ interface, then we need not NAT traffic from LAN to DMZ. But we definitely require a source NAT (dynamic and port translation ) from DMZ to INTERNET for the outbound HTTP requests from the proxy server to the outside servers.
BR,
Karthik RP
07-24-2013 02:53 PM
Like the last respondent, I would need to know what the intent is here to provide a truely educated response. I would say this though - if you just need a captive portal, why not use the on buit into the Palo Alto? If you are trying to use something like Cisco ISE for the captive portal, then the real solution involves WCCP on an intermediate switch, which will intercept the http request, forward it to the proxy server, then after authentication, the switch will redirect the user to the firewall for outbound internet. Please let us know what technolgies you are trying to leverage, and what the end goal is, and we can make better recommendations. Good luck.
-chadd.
07-25-2013 12:15 AM
Hi kprakash and cchristiansen,
First of all thanks for your answers
The proxy squid server is used as a proxy server for any HTTP/HTTPS request that the mobile users attempt opening connections.
the captive portal product is OLFEO (french solution) and the network contains switchs of brand Avaya (5530 and 2526T)
i created the following rules :
PBF :
source Zone : LAN
source adresse : WIFI
DestinationZone : any
service : http
action : forward
forwarding egress : 1/3
forwarding Next Hop : IP Proxy Squid
NAT :
sourceZone : DMZ
destination Zone : Internet
Destination Interface : any
sourceadress : any
destination adress : any
service : http
sourcetranslation : dynamic ip and port
destination translation : none
and i created a security rules from DMZ to INTERNET
i try to access in web . I see the resquest on the appliance OLFEO (tcpdump) but not in squid . the user does not receive the page of authentication
thanks for your help
Best Regards
Nicolas
07-25-2013 06:56 AM
Good Morning Nicolas,
Is Olfeo located on the DMZ too, or is it located on another zone? From what I understand the wifi users rely on the proxy to access the web. That being the case,do the guest users' browsers have the proxy setting to forward the web traffic "get" requests to the proxy server?
We do not need a PBF rule, and we can just have a security policy from LAN to DMZ ( and have interface Source NAT, if the proxy squid is not directly on the firewalls DMZ interface subnet ), so that the GET requests are routed from the wifi users to the proxy squid on DMZ.
As mentioned earlier, we also require the security policy from DMZ to Internet and a NAT from DMZ to internet.
Please let me know if that worked
BR,
Karthik
09-19-2013 12:54 AM
Hi,
for my long silence but me have of to leave the project for small moment.
Having some time at the moment I recovered on this project of portal
now in http.It works
on the proxy squid, I executed the following command /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 80
now I would like to make the same for https
Regards,
Nicolas
09-19-2013 05:43 AM
For HTTPS control, you will need SSL decryption on the proxy squid and you can find information on Bumping direct SSL connections here: Features/HTTPS - Squid Web Proxy Wiki. Then you will need modify the PBF rule on the PA to redirect port 443 traffic to the squid proxy similar to what you have for HTTP (port 80).
Are you using the squid proxy just for the captive portal authentication? The PA also supports captive portal authentication and you can implementation authentication on the PA.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
