You are on page 1of 30

Artica

1.6.010302
Artica Proxy Appliance Documentation
- draft -
5ummary
Main Proxyj5quid configuration.................................................................................................................................................... 3
Performances tuning........................................................................................................................................................................................ 3
Main core the Squid version :.....................................................................................................................................................................3
Memory, cache and DNS.............................................................................................................................................................................3
lncrease the used memory :................................................................................................................................................................3
1ake care about the DNS.....................................................................................................................................................................S
Redirectors options.......................................................................................................................................................................................... 6
MAX redirector processes :........................................................................................................................................................................6
Pre-spawn processes:..................................................................................................................................................................................6
Available processes:....................................................................................................................................................................................6
Concurrency Processes:..............................................................................................................................................................................6
Proxy Croups...................................................................................................................................................................................................... 7
Add a new group..........................................................................................................................................................................................7
Add items inside the group........................................................................................................................................................................7
Connections Time.............................................................................................................................................................................................. 8
Add /edit a connection time rule..............................................................................................................................................................8
Personnalize the error message page :................................................................................................................................................10
Ceek Mode :................................................................................................................................................................................................10
Monitoring......................................................................................................................................................................................................... 11
Display service Proxy events ..................................................................................................................................................................11
Main web fiIter ruIes....................................................................................................................................................................... 12
Using ufdbCuard ............................................................................................................................................................................................. 12
lnstall ufdbCuard.......................................................................................................................................................................................12
Enable UfdbCuard service.......................................................................................................................................................................12
UfdbCuard service parameters...............................................................................................................................................................13
Control H11PS Usage ........................................................................................................................................................................13
Use a remote server/centralize Wefiltering with UfdbCuard....................................................................................................14
Benefits on a single proxy mode : .................................................................................................................................................................... 14
Benefits on a multiple proxy mode/ Load balancing mode.......................................................................................................................... 14
Enable UfdbCuard service on Artica statistics Appliance............................................................................................................................. 14
Enable UfdbCuard service on Proxy client...................................................................................................................................................... 14
The defauIt ruIe............................................................................................................................................................................................... 16
RuIes and groups............................................................................................................................................................................................. 16
LDAP Croup : ..............................................................................................................................................................................................16
Virtual Croup : ...........................................................................................................................................................................................16
Active Directory Croup ............................................................................................................................................................................16
Add a web fiItering group............................................................................................................................................................................. 16
Need a "mixed" group.................................................................................................................................................................................... 17
Create a Web-fiItering ruIe........................................................................................................................................................................... 18
WhiteIist or BIackIist usersjwebsites ....................................................................................................................................................... 20
Bann/Allow clients.....................................................................................................................................................................................20
Add MAC addresses :..........................................................................................................................................................................20
Add lP addresses ................................................................................................................................................................................21
Bann/allow destination Websites...........................................................................................................................................................21
Microsoft Active Directory connection..................................................................................................................................................... 22
Create the CPO :........................................................................................................................................................................................24
Prevent users to change lnternet Explorer settings :.................................................................................................................24
Change proxy settings :.....................................................................................................................................................................24
Ceek mode :................................................................................................................................................................................................24
Network tips and configurations................................................................................................................................................25
ExampIe 1: Using 2 gatewaysjtransfert requests to a second gateway........................................................................................... 25
Create the Virtual lnterface....................................................................................................................................................................2S
Change proxy settings..............................................................................................................................................................................26
lnternet Proxy 5tatistics AppIiance........................................................................................................................................................... 27
Create the Web statistics appliance......................................................................................................................................................27
Use the lnternet Proxy Statistics Appliance on the client Proxy......................................................................................................28
Main Proxyj5quid Configuration Main Proxyj5quid Configuration
Performances tuning
1he default configuration is set for a minimal server performances 1 processor and S12Mb memory.
lf you using a lower system with this configuration, don't touch anything...
Mu¡n core the Squ¡d vers¡on :
Squid 3.x is not multiple cpus compliance. lf you using a server that handle multiple cpus, you should upgrade the main Squid
version.
On the Proxy section turn to 5ervices 5tatus 5oftware update tab 1
Check the current version is verify if you using the Squid 3.2.x version.
ln other case, click on the « lnstall or Upgrade » button to order Artica to update your Squid version.
Memory, cuche und DNS
fncreose the used memory :
lf your server handle more than 1Cb memory you can safely upgrade the memory used by the proxy.
ln this case, the proxy will use the memory before using the disk cache.
Cache memory parameter
By default, the cache memory is set to 2S6Mb
1he cuche memory parameter does NOT specify the maximum size of the process.
lt only specifies how much memory to use for caching "hot" (very popular) replies.
As a rule of thumb on Squid uses approximately 10 MB of PAM per CB of the total of all caches you have defined on Artica.
When using Appliance, by default, Artica create SCb cache for each CPU detected on your system.
For a server than handle 4 cpus, Artica create 4xSgb of disk cache so the proxy will use a minimal of (20*10Mb) 200Mb of memory
plus the value added for Cache memory parameters and about an additional 10-20MB. .
For a server with 4 cpus and with default configuration the Proxy will able to use 220Mb+2S0Mb = 470 Mb
lt is recommended to have at least twice this amount of physical PAM available on your server.
ln our 4 cpus example, the minimal to run correctly the proxy is to have 940Mb free memory.
But an Artica system use several services and scripts that require memory (Mysql/LDAP/Artica will use an amount of S12Mb).
ln our 4 cpus example : a minimal of S12+940 = 1.4Co memory must be installed on the system.
Where and how to change this parameter !
Basically you must take care first about the sum of your caches size (10Mb for 1Co)
lf you set 100Cb of cache, you will need about 1Cb memory free.
lf you have more memory after cache calculation, increase the parameter with about S0% of your free memory.
Final example : A server with 4 cpusJ8C memory ond 100C disk coche :
1 Mysql+LDAP+Artica consumption : 1Co
1 Proxy cache consumption : 1Co
1 System consumption : 3S0Mb
1 Parameter can be set to (8C -1.3C)/2=3,35C
Change the memory consumption parameter.
1 Under the Proxy section, click on Parameters top menu
1 Select the « Advanced options » tab
1 Choose the « ldeaI amount of memory » icon
1 Modify the value.
Toke core obout the DN5
Many times the slower feel (waiting page for a longer time) is caused by bad DNS servers answers.
1his behavior can be resolved by tunning specifics parameters.
Change the DN5 servers.
By default, the proxy use default DNS used by the system.
You can force the proxy to use your own DNS without trying to use the standard DNS of your system.
1 On the Advanced options tab, click on « DN5 servers » icon.
1 Select the DN5 servers tab
1 add the adress of your DNS server in the « server » field and click on the « Add » button.
Caching the DN5 responses
1he lP addresses of most domains change quite rarely, so it's safe to
cache the positive responses from DNS servers for a few hours.
1his doesn't provide much of a saving in bandwidth, but caching DNS
responses may reduce the latency quite significantly because a DNS
query is done for every request.
For caching DNS responses, Squid provides two directives known as
Pos¡t¡ve DNS TTL and Negut¡ve DNS TTL to tune the caching of DNS
responses.
1he directive « Positive DN5 TTL » determines the maximum time for
which a positive DNS response will be cached while Negut¡ve DNS TTL
determines the time for which a negative DNS response will be
cached. 1he directive « Negotive DN5 TTL » also serves as a minimum
time for which the positive DNS responses can be cached.
By default, Pos¡t¡ve DNS TTL is set to 6 hours and we are free to set it
to 48 hours and Negut¡ve DNS TTL is set to S Minutes and we are free
to set it to 30 seconds.
5etting the size of the DN5 cache
Squid performs domain name to address lookups for all the MlSS requests and address to domain name lookups for requests
involving ACLs such as destination domains.
1hese lookups are cached.
1o control the size of these cached lookups, there are four directives « FuIIy quaIified domain names cache size » (number), lP
«lP addresses cache Iow » (percent), « lP addresses cache high » (percent), and « lP addresses cache size » (number).
1he directive « lP addresses cache size » determines the maximum number of entries that can be cached for domain name to
address lookups.
As these entries take really small amounts of memory and the amount of available main memory is enormous these days, we can
cache tens of thousands of these entries.
1he default value for this directive is 1024, but we con eosiIy push it to 15,000 on busy coches.
1he directives « lP addresses cache Iow » (let's say 90) and « lP addresses cache high » (let's say 9S) are low and high water marks
for the lP cache.
5o, 5quid wiII try to keep the number oj entries in the coche between 90 percent ond 95 percent.
Using « FuIIy quaIified domain names cache size », we can simply set the maximum number of address to domain name lookups
that can be in the cache at any time.
1hese entries also take really small amounts of memory, so we can cache a large number of these.
1he default value is 1024, but we can easily push it to 10,000 on busy coches.
Redirectors options
1his feature can be used to tune the redirectors engine.
2 lt can be used only if you use "ufdbCuard" has the main web filter engine.
2 On the squid options, select the "Parameters" top menu, click on the "Advanced options" tab
2 Choose the « Redirectors options n icon
MAX red¡rector processes :
1he maximum number of redirector processes to spawn.
lf you limit it too few Squid will have to wait for them to process a
backlog of UPLs, slowing it down.
lf you allow too many they will use more PAM and other system
resources noticeably
Pre-spuwn processes:
Sets a minimum of how many processes are to be spawned when Squid
starts or reconfigures.
When set to zero the first request will cause spawning of the first child
process to handle it.
Starting too few will cause an initial slowdown in traffic as Squid
attempts to simultaneously spawn enough processes to cope.
Avu¡tubte processes:
Sets a minimum of how many processes Squid is to try and keep available
at all times.
When traffic begins to rise above what the existing processes can handle this many more will be spawned up to the maximum
configured.
A minimum setting of 1 is required.
Concurrency Processes:
1he number of requests each redirector helper can handle in parallel.
Defaults to 0 which indicates the redirector is a old-style single threaded redirector.
When this directive is set to a value >= 1 then the protocol used to communicate with the helper is modified to include a request lD
in front of the request/response.
1he request lD from the request must be echoed back with the response to that request.
Note : lf you have a dedicated server for proxy + ufdbguard 1.27+ i suggest to set
Max redirector processes:60, pre-spawn processes:20 ,available processes : S ,concurrency processes : 0
Proxy Croups
Proxy Croups are used to create a container of sources addresses or destination Web servers.
1hey can be used in severals sections like Whitelist or blacklist or time rules...
Croups feature are located in Proxy Parameters Basic Filters tab Croups 1 1 1
Add u new group
Click on the « New Croup » icon
Set the group name in the field and select the
group type.
Croup type is important because it drive the items
that you will be able to insert inside this container.
Click on « Add » icon
1he table will display the new added group with 0
item.
Add ¡tems ¡ns¡de the group.
Click on the link of this group.
Click on « New ltem » button.
You will be able to add a new item according the type of
group you have choosen.
When item is added, you will be able to enable it or
delete it.
Connections Time
1his feature allow to control access based on time.
1his filter is based on Proxy settings because it is a main
part of the proxy.
You did not need to enable any filter to perform
connections time rules.
Connections time can be based from a member (if
authentication is enabled), a MAC Address (if Dansguardian is not the main filter) , a network, lp address or an lP range.
Feature is located on the Proxy main settings 1Parameters 1 Basic fiIters tab 1 Connection time tab
Add ,ed¡t u connect¡on t¡me rute.
Click on the button « New time ruIe » located on
the top of the main rules table.
1 Define the name of your rule, select day
of the Week you want to match and the
time start/end.
1 Set if the 1ime rule ban access to lnternet
or Allow access to lnternet.
1 Click on « Add » button
Your rule is added.
You can disable it or remove it or editing it by click on the link of the rule name.
ln order to match time rules with sources, you need to use « groups » (see the « Proxy Croups » section in this document).
Open your added time rule.
1he form is changed and display 2 tabs :
1 Croups tab : ls Proxy groups that will match the 1ime Allow/Pestriction rule. Use the « New Croup » button in order to
insert saved « Proxy Croups » in the time rule.
1 5ettings : Allows you to modifiy your time rule.
Personnut¡ze the error messuge puge :
Each time rule can have it's own error page.
1his is the default error page generated when user try to access to lnternet inside a
banned time rule.
When editing a time rule, personalize the text that you need to display.
Ceek Mode :
When creating a group or a time rule, the framework run « exec.squid.php »
1o analyze then ACL engine launch in command line in a terminal :
php5 /usr/share/artica-postfix/exec.squid.php --build --verbose|grep ACL
Monitoring
D¡sptuy serv¡ce Proxy events
You can display events under « 5erver status » and « Proxy service events »
1his form display list of the last « /var/log/squid/cache.log » events
lf you need to refresh the table, |ust click enter under the « 5earch » field.
Main Web FiIter Main Web FiIter RuIes RuIes
Using ufdbCuard
ufdbCuard is a redirector that run as damon mode, the proxy send to this daemon the requested urls.
lf urls did not match any blocked rules, proxy continue it's process and provide web pages.
lf urls match a deny rule, an banned page is displayed.
Instutt u]dbCuurd
You can install ufdbCuard trough the Setup Center or using the command line
/usr/share/artica-postfix/bin/artica-make APP_UFDBGUARD
Enubte U]dbCuurd serv¡ce
Co into the proxy main section
Select « Web fiItering » main toolbar icon.
Choose « status » tab
Click on the « UfdbCuard Web FiIter n link in order to enable it.
1he service status will display 2 new services :
5quidCuard HTTP service is a web server that will serve Web Page error when urls matches some rules.
UfdbCuard Web fiIter that display the status of the filter engine service that listen requests from the proxy in order to |udge if a
request is allowed or banned.
U]dbCuurd serv¡ce purumeters
On web Filtering tab, select « 5ervice Parameters »
Click on « 5ervice Parameters » tab and select the
« UfdbCuard Web FiIter » option.
ControI HTTP5 Usoge
Most websites that use H11PS for legitimate business reasons
use an SSL certificate that is signed by a well-known certificate
authority and have a fully qualified domain name in the UPL for
maximum security and a clear identification of the website,
while most websites that use H11PS for other reasons, have
self-signed SSL certificates and lP addresses instead of domain
names. H11PS is usually secure enough to protect the
connection to eavesdropping but has an old protocol option
which is rarely used and insecure.
1he old and insecure SSLv2 protocol can be blocked by means of
a configuration option.
ufdbCuard is able to detect a small subset of protocols used on
port 443 on the internet: H11PS (H11P+SSL), Skype, SSH and a
few proxies. When ufdbguardd probes port 443 it is quite
possible that it stumbles upon a port of a website that uses an
unknown protocol.
1here is a configuration option to allow or block unknown
protocols. 1he default is to allow such protocol since there are
many sites which use
port 443 to deliver video content or other application-specific content.
Access to H11PS websites can be controlled with the following options.
1 Enforce https with hostname
1 Enforce https officiaI certificate
1 Prohibit insecure ssIv2
Listen address and listen port allows you to define on which port the service will listen.
« DispIay web page error when reIoading databases » display a web page error until the blacklist databases are not fully loaded in
memory (by defaut, when reconfiguring or reloading, the service need around 1S seconds to be ready).
« DispIay web page error when encounter service errors » if the service is failed to be loaded or is down/unavailable, an error
page is displayed until it is up.
Use o remote serverJcentroIize WejiItering with UjdbCuord.
1his configuration allows you to store the UfdbCuard service on a remote
computer.
1here are benefits using this configuration.
Benefits on a singIe proxy mode :
Filtering processes and memory are localized on the remote server and safe
performances.
When saving rules and play with databases, the proxy service is not reloaded
Benefits on a muItipIe proxy modej Load baIancing mode
Pules are centralized on the Ufdbguard service server.
« Artica statistics appIiance » enable this configuration.
EnabIe UfdbCuard service on Artica statistics AppIiance
Create your statistics appliance (see « lnternet Proxy 5tatistics AppIiance »
section)
On the statistics appliance, install the ufdbCuard service trough the setup
center or by command line using
/usr/share/artica-postfix/bin/artica-make APP_UFDBGUARD
Click on the « UfdbCuard Web fiIter » icon under the « 5ervice Parameters »
section .
1 Enable the « EnabIe TCPjlP sockets »
checkbox.
1 Define the Listen address or set it to all.
1 Define the listen port or keep the
default one.
EnabIe UfdbCuard service on Proxy cIient
Select the same parameters but use the « Client parameters »
tab.
1his define parameters of the UfdbCuard redirectors hooks.
UfdbCuard client is the process that create a link between the
UfdbCuard service and the proxy.
Enable the « Use a remote Ufdbguard server » and define the
server address and port.
Streum¡ng Cuche
Streaming Cache is a feature that allows you to :
1 Cache Youtube videos.
1 Define reIationship between MAC Addresses and members
when using UfdbCuard.
Streaming flow cannot be cached to the proxy.
lf several users request to display one video, this video will be downloaded
for each user.
1he ob|ective of this module is to save videos on a defined storage for a
defined period in order to provide it directly internal instead re-download
them.
Benejits :
Videos are saved localy, if several users try to download the same video, all requets are provided directly locally from the internal
Webserver.
lt safe bandwith because the video is downloaded only one time.
Limitotions :
1his feature transform the Youtube process in this case :
User need to wait that the video will be fully
downloaded by the server to display it.
lf user need to see the video at a specific time, the
server will download a specific file from the requested
time.
Using 5treoming Coche :
On the Web filtering section, Click on the « Streaming
Cache » optionin order to enable it.
Click on the « 5ervice Parameters » and select the
« 5treaming Cache Parameters n icon.
1 Enable the « EnabIe Youtube Caching » checkbox.
1 Define the Webserver (a remote Artica Statistics Appliance or the local Proxy webserver).
1 Define the storage directory and the 11L of the cache for each stored video.
Us¡ng Streum¡ng Cuche ]or t¡nk¡ng MAC uddresses und users.
1his feature resolve this needs :
« f wont to creote ruIes occording user occount but i did not need to outhenticote them.
Eoch user one or severoI dedicoted workstotions to surj on fnternet.
f use DHCP so i connot dejine ruIes occording fP oddresses. »
So if for you 1 user => x dedicated workstations, this feature is for you without define any authentication method.
1his feature only support UfdbCuard as the main Web filtering engine.
1o use this feature, Enable Streaming Cache (you can also disable Youtube caching if you did not need it).
Creote the MAC AddressesJMembers reIotion tobIe
Click on « Croups » tab and « Mac addressesjMembers Linker » tab
Members are stored in the LDAP database. So you need first create your members inside your organizations or use the « New
Member » button.
Click on « New Computer » to create a relation between a computer and a member.
Set the member of the new computer (click on Browse in order to search it).
Define the computer name and set the MAC address.
Mac Address is the most important data, you need to be sure that it is the correct one.
WebfiIter : The defauIt ruIe
1he default rule is a "locked" rule. You cannot delete it or add a group inside.
1his rule is used when no rule is matched.
Sure it can be the main rule if you want to block/allow websites for all users without need to specify groups.
RuIes and groups
You can create several rules according groups that handle users.
You have 3 group types.
LDAP Croup :
LDAP Croup handle users added into the Artica LDAP internal database.
When compiling rules with an LDAP group, artica will search all users from the group and compile a dedicated rule.
V¡rtuut Croup :
A virtual Croup is designed to store ip addresses, ldap users or Active Directory users.
lt used to create a group from several member sources.
Act¡ve D¡rectory Croup
lf you have connected your proxy to a Microsoft Active Directory (see M¡croso]t Act¡ve D¡rectory connect¡on sect¡on), you will be able
to add specifics Active Directory groups.
Add a web fiItering group
On the Web filtering section, select the
"groups" tab
Click on the green cross on the group table to
add a new group.
Use the "FiIter group mode" drop-down list in
order to define the group type.
Depends of the group type, you will be able to
define the group name and or the group id.
Need a "mixed" group.
lf you need to add a group with mixed users (ip addresses, Active Directory users, LDAP users), use the "VirtuaI group"
Select the added « VirtuaI group » and click on members tab.
Use the green cross to insert items in this group.
Use the drop-down list in order to select an lP Address or a login
account (both Active Directory or LDAP user).
Create a Web-fiItering ruIe.
After creating groups and define users inside groups, add a web-filtering rule that will handle a single or several groups.
1 Use the "RuIes" tab to create Web-filtering rules.
1 On the first time, only the "DefauIt" rule is set.
1 Click on the green cross in order to add a new rule.
Define the name of your new rule, select the "fiItered" mode and enable it.
Click on "Add" button.
1he new rule is added on the main table.
1 Click on it in order to add added groups.
1 Select the "groups" tab.
1 Click on the green cross in order to insert a defined group
A new form display added groups in a table.
Click on the green cross on the right side in order to add a group into your rule.
WebfiIter Time RuIes :
Web filter rules allow you to create several rules that include blacklists and white-lists according time of the Week or in global
mode.
A rule can be enabled by a set of users
1hese users should be allowed or banned to browse websites according general rules or time.
This graph can be dispIayed by this tabIe in Artica
WhiteIist or BIackIist usersjwebsites .
Whitelist/blacklist is a global configuration that ban or pass trough users according their lP address or MAC address.
lt is usefull for example to allow some MAC addresses to not be filtered in any situation (VlPs or servers or updaters).
On the main section that list your web filter rule, you have 4 icons.
First is to ban computers, second is to allow computers, next will ban or allow according destination web lnternet servers near each
icon the toolbox display the items number added into rules.
ßunn,Attow ct¡ents
Click on the icon according if you need to ban or to allow a
computer.
You can add :
1 A MAC Address (if the proxy allow this token).
1 An lP address or a subnet or a range.
Add MAC oddresses :
Click on the MAC Address icon and set the MAC Address used
by the compter you need to allow/ban
Note : lf the proxy does not allowe to understand MAC addresses, you
will receive a popup notification.
Add fP oddresses
Use the lP address button
lP address: Matching done based on clients ip address
1 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
1 172.16.1.2S/32 - refers to a single source
1 172.16.1.2S-172.16.1.3S/32 - refers range of lP Addresses from 172.16.1.2S-172.16.1.3S
You can enable/disable temporary the item by click on the checkbox or delete the item by click on the red cross.
Filter by MAC address is not supported you use Dansguardian as the main Web filter engine.
ßunn,uttow dest¡nut¡on Webs¡tes
1his feature allow a destination Website to pass all securities rules:
1 lf user authentication is enabled, the proxy did not display authentication popup for the website.
1 1he website will not be analyzed by UPL filtering engines.
On the opposite way a banned website will be banned for all users and for any request.
Note : A whitelisted lnternet domain will pass trough the Streaming Cache Feature too.
lf you need to whitelist Youtube, videos will be not cached trouch the Streaming Cache feature.
Microsoft Active Directory connection
You can connect your proxy server to your windows Active Directory server.
1here are several benefits using this architecture :
1. User accounts will be displayed in statistics.
2. You will be able to create web filtering rules according Active directory groups or users instead using lP addresses.
1he connection system is able to use the N1LM system mode has no username/password login popup will be displayed if users are
logged on the Microsoft Windows Domain.
1o perform this operation, Artica allow you to connect your proxy is your server store "msktutiI" and "squid_kerb_auth" or
"negotiate_kerberos_auth" or 5amba binaries.
lf these binaries are installed on your server, this means the server is ready to be connected to an Active Directory server.
Note that you cannot use "transparent" mode if you using the Active Directory authentication mode.
lf you using the Artica Appliance "Artica For Squid Appliance or Artica For Kaspersky For Squid Appliance", these tools are already
installed on the system.
1he Active Directory connexion settings is found in the Main Cache parameters and "Users:lnteractions" tab.
Click on the icon "5quid Kerberos Authentication"
Squid kerberos Autentication allow to integrate squid authentication with a Microsoft Active Directory server 2003/2008
Your Windows user must be a member of the "SQUlD_USEPS" group in Active Directory.
Both Windows machines should be able to ping the Linux server by name (and vice versa), and you may need to run "ipconfig
/flushdns" at times.
A reboot may help too, if you want to be really sure there`s no cruft hanging around.
For Windows 2008 server you need to install Hotfix 951191.
Artica display a new popup that allow you
to define the main settings in order to
access to the Windows Active Directory
server.
Enable the option "EnabIe authentication
via M5 Windows"
Your Active Directory server must have a
fully qualified hostname eg
"ad.domain.tld"
Set the second part (the domain of the hostname) in the "Windows server DN5 suffix" and the first part in the "Windows server
netbiosname".
Set the netbios domain (workgroup) in N14 mode in the "Netbios AD Domain" field.
Define the Windows Active Directory Version (Windows 2003 or Windows 2008 with AES).
Define the Active Directory username and the password that is allowed to be connected to the domain.
After clicking on the apply mode the proxy should be a part of the Windows Active Directory
Note:
1) Your Proxy FQDN must have the same domain has your Active Directory: lf your
active directory is named has ad.domain.tld, your proxy hostname must thave
domain.tld has suffix.
2) Your proxy Hostname must be resolved by your Active Directory : lf your Proxy is
named has proxy.domain.tld, both "proxy.domain.tld" or "proxy" name must be
resolved
3) 1he system clock between the Active Directory and the proxy must not differ.
4) 1he Proxy computer name must be added in the Active Directory computers
organization.
lf the connexion to the Active Directory is failed, an error is generated on web administration pages :
Creute the CPO :
Pun "gpedit.msc"
Prevent users to chonge fnternet ExpIorer settings :
Navigate to User Configuration 1Administrative TempIates 1Windows Components 1lnternet ExpIorer
DoubIe-cIick "Disable changing proxy settings" or "DisabIe changing connection settings" and set it to EnabIed
Chonge proxy settings :
Navigate to User Configuration 1Windows 5ettings 1 lnternet ExpIorer Maintenance 1 Connection
Set "Proxy Settings"
lf you wish, you can also back up to UPL's and configure a uniform default home page...
when you run gpupdate and gpresuIt jv or mmcjR5OP using the MS-DOS command-line, the correct policies and settings must
appears.
Ceek mode :
When enabling the Active Directory authentication, the framework use the « exec.kerbauth.php »:
php5 /usr/share/artica-postfix/exec.kerbauth.php --build --verbose
in order to see details
Network Tips And Configurations Network Tips And Configurations
ExampIe 1: Using 2 gatewaysjtransfert requests to a
second gateway
My Architecture already include a transparent proxy for access to lnternet.
But the transparent proxy did not reflect my needs.
1he network on my server is defined to use the default gateway.
1his default gateway is designed tranfert requests to the upstream
transparent proxy.
l need to force the proxy using the router directly for lnternet access.
The procedure is to use 2 network interjoces.
1he real interface : 192.168.1.197 use the default gateway.
Next task is to create a « Virtual lnterface » : 192.168.1.207.
1his virtual interface will be forced to use the router « 192.168.1.1 » has it's
default gateway.
1he final task is to force Squid listen the 192.168.1.197 interface and
transfert requests to the virtual interface 192.168.1.207 in order to use the
192.168.1.1 router
Creute the V¡rtuut Inter]uce
1 Co into he Network section trough artica.
1 Select the « Main lnterfaces » tab
1 Select the « Network lnterface cards » tab
1 Choose the main interface and click on the green cross in
order to create a virtual lnterface with the duplicated
parameters.
A new popup is displayed with the same network parameters of the
main Network lnterface.
Change the « TCP Address » according
your needs
Modify the « Cateway » address.
Check the « Force Cateway » check-box
in order to force this Virtual address not
using the same default gateway for the
same network.
Click on the « VirtuaI Network lnterfaces » tab and click on the « AppIy network configuration » in order to reboot the network.
Wait few times...
Chunge proxy sett¡ngs
Peturn back to the proxy section
Click on the « Main Parameters » tab
Click on the « Listen address » icon.
Choose the main interface for the « Listen address »
Choose the Virtual lnterface for the « Forward
address »
Click on « AppIy » Button and wait the proxy to
restart
lnternet Proxy 5tatistics AppIiance
lnternet Proxy Statistics Appliance is a feature that allow
your Proxy to send events to a remote server for
centralization settings and statistics calculation.
ln this case, statistics tasks will be not in charge of your
proxy servers but a task designed by the remote statistics
server.
1he statistics server will be in charge of
3 Centralize and building Web filtering rules.
3 Download/Updates categories databases.
3 Calculate statistics.
Creute the Web stut¡st¡cs uppt¡unce.
lnstaII a new Artica server
You did not need to install other application. Just Artica and the
mandatories packages (trough setup-*).
You can use any Artica system. 1he statistics appliance feature is
installed on all Artica appliances.
Click on on the Mysql service item on the left menu.
On the Mysql tab down to view the "5tatistics
AppIiance" icon
On the popup, turn to green the "lnternet Proxy
5tatistics AppIiance"
lf you enable this feature, this server will be able to
receive events from an another Artica proxy or a Squid
3.2/3.1x proxy.
1his server will execute specifics calculation tasks in
order to serve lnternet usage charts and graphs
statistics
Use the Internet Proxy Stut¡st¡cs Appt¡unce on the ct¡ent Proxy
Open the Proxy section and select the « Main
parameters » tab.
Choose the « Use statistics AppIiance » icon.
Enable the check box « Use a statistics remote server »
Cive the lP address/hostname of the lnternet Proxy
Statistics Appliance
Enable the « 5end 5ystem events Iogs to this server »
1his feature : « lnternet Proxy Statistics Appliance » will
disable parsing the Squid events task and the remote
Mysql logs in|ection. 1his will be the remote server task.
Cive the remote Web administration SSL port of the
remote statistics Appliance in the listen port field.
Click on « AppIy »
On the Web statistics Appliance, you will find a new item « Proxy statistics »
Click on it.
Select « Parameters » item « 1 Production servers »
You will find your Proxy server on the list.
Pepeat this procedure on all proxies installed on your farm.
Update configuration on all proxies