On Thu, 30 Oct 2003 trainier@kalsec.com wrote:
> The first is authentication. That howto specifically says that you cannot
> use authentication via transparency.
Correct.
Interception abuses fundamental TCP/IP design properties, and can not
solve all problems. It is generally an evil hack.
> The sole purpose of us using the proxy is for authentication.
Then you need to investigate other means of getting the users to use the
proxy.
There is
* WPAD
* Proxy-PAC files
* Manual browser proxy settings
* Blocking access to port 80 and 443, giving an error message
instructing the user to reconfigure their browser to enable one of the
above. (same technique as interception, but sending the traffic to a web
server instead of the proxy).
* Automatic login script settings to have the above settings done
automatically at login time. This method is used in many corporate
environments to automate the above.
> The second is because of https. We have to allow https traffic, as well.
As above..
> Can anyone please verify these two pieces before I tell my boss no? :-)
The information you have found is correct. Not much to add.
But it is not the end of the world. In the long run you will be better of
if you don't go for interception anyway.
Regards
Henrik
Received on Thu Oct 30 2003 - 10:04:56 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:46 MST