Squid Proxy and NAT

[Devilpapaya]

So I work for a university (or rather, a division of one) and we are looking to take a large number of machines off of our public IP set and put them behind a proxy.

This should be simple enough, but bureaucracy fails again. We do not have direct control over our network, so we can't just put a NAT device between our building and the larger University network. Also the networking guys don't exactly like us, so we really don't want to deal with them.

So my question is then, is it possible to use a proxy server that is not directly inbetween the client and larger network to have NAT type function by directing the local network traffic to the proxy whenever it needs to access the external network/internet.

So far I've been able to get http proxy access to the internet through this type of system but have been unable to get https (need for email) to work.

So first, I guess, is it possible to configure Squid to do this? We can talk more technical configurations if someone has seen something like this work.

Thanks

 

[Nothinman]

Squid should "just work" no matter where is on the network. If you don't have control over the firewall at the border it'll be a lot harder to enforce, but it should still work.

 

[Devilpapaya]

For anyone who cares I got it working. The key is that it can't be in transparent (interception) mode.

This means I have to configure client machines to connect to the proxy, rather than redirecting them to the proxy without the client being aware.

Apparently redirecting through a transparent (interception) proxy is technically "illegal" or "violates TCP/IP standards" or some BS like that. I guess this makes it impossible to support SSL or any other secure connection protocol over the proxy, as the secure connections are set up to prevent MitM attacks.

Also even if you could get it working that far you'd need to have the network configured in such a way to open security holes to IP Address spoofing attacks... So bad ideas all around.

 

[Nothinman]

That doesn't seem right, IIRC Barracuda's recommended operating mode is transparent.

 

[Devilpapaya]

That doesn't seem right, IIRC Barracuda's recommended operating mode is transparent.

I don't know much (or anything) about Barricuda. However maybe may last post was a bit vague. Transparent mode would work if I could put it in-line on the network (aka, have it, in a physical sense, be between the clients and the internet and have the proxy as the dhcp default gateway for the clients) unfortunately, as I mentioned, we have no control over the network's physical layout (even at subnet vlan level) so the proxy has to sit on the same level as the client machines.

This means to default route the traffic through the proxy (without clients being aware) I have to redirect traffic via a switch/router. This breaks TCP/IP protocol of not routing packets directly to their intended destination (telling a client to go through a proxy doesn't violate this). Since the client has no way of being aware of the redirect it doesn't send the correct header information and secure connection protocols cannot establish a connection. non-secure protocols seem to do okay though.