How to setup proxy server with multiple routes to inet

[MaJoR ChAoS]

I need to setup a proxy server that has 2 routes to the internet.

by default I want all users to be routed to a proxy server at main office. the main office proxy does all the web filtering etc. On the main office proxy they block facebook etc., but in 1 or 2 branch offices I need to route facebook and a few other banned sites to the office ADSL.

Can ISA or Forefront do this, or do I need a 3rd party program?

[fusi0n]

Have you looked into m0n0wall?

[sc302 Veteran]

pfsense multi wan

http://doc.pfsense.o...N_Version_1.2.x

or cisco rv082 or rv042

http://www.amazon.co...r/dp/B0000ZI1FG

http://www.amazon.co...28239419&sr=1-2

or barracuda link balancer

http://www.barracuda...link_models.php

Not sure if you are going to be able to route specific websites through one link or the other. The barracuda will do ip ranges and subnets, but not specific websites.

[MaJoR ChAoS]

^{thanks for reply's. I had a quick look at them and they seem to offer dual wan or load balancing. I'm more after having a proxy that sits in an office and has a white/allow list. When user A surfs the net the proxy will look at the URL, if it is facebook.com then it will be routed through the local office adsl, if anything else not on the allow list then it gets routed to the main office proxy which is filtered etc.}

[sc302 Veteran]

good luck with that.

[TurboTuna]

In theory - you could setup pfSense with squid, and then set the upstream proxy to your office proxy. Once you've got that setup, you can exclude specific IP Addresses from using squid and therefore, making it a direct connection.

I've never tried it and im just guessing...

[+BudMan MVC]

"I need to route facebook and a few other banned sites to the office ADSL."

Well that could be as simple as telling your browser not to use the proxy for that url/ip

Are you using a explicit browser setup, ie do your browsers point to the proxy at the head office or use a pac file to get pointed to it? Or is it a transparent setup where you default route for internet traffic it to the head office and use the proxy with no setup on your browser?

[MaJoR ChAoS]

"I need to route facebook and a few other banned sites to the office ADSL." Well that could be as simple as telling your browser not to use the proxy for that url/ip Are you using a explicit browser setup, ie do your browsers point to the proxy at the head office or use a pac file to get pointed to it? Or is it a transparent setup where you default route for internet traffic it to the head office and use the proxy with no setup on your browser?

It's transparent. We need for the manager at each location to be able to setup an exclude list (ie; in 1 office they may want people to go to facebook, youtube. In another office they may want filehippo or torrents to be excluded from the proxy). There are literally 200 + pc's or more combined at several locations.

My situation is I can't know in advance what web sites will or won't be included in the proxy exclude list. There are to many ip's for me to manually to enter into the list. I was hoping there was some easy application that by default passes everything through main proxy but I could enter the web sites I want to go directly to the net.

[+BudMan MVC]

Who controls the proxy? And what proxy is it? Something like websense is easy to manage like this, you create policies. And base on category vs each site. And just have to deal with exceptions to the categories vs each site url.

What proxy / web filtering solution are using?

[Sgutta]

try proxifier,

suggest use different browsers for diff sites (black list and white list) hence easy to configure in proxifier.

proxycap, ccproxy combination is also not bad to try.

[MaJoR ChAoS]

I'm not sure what the corp use for their proxy, would be too much effort to get them to configure it so for a few branches.

My only option is to find a way around the corp proxy.

I'll give proxifier etc a go.

[+BudMan MVC]

So what asking them how to help their users -- your all part of the same corp are you not?? Is too much bother.. But trying to circumvent a policy they have in place for the good of all the users is fine??

Creating a policy for managers vs users, or engineers vs hourly is pretty freaking straight forward and one of the main reasons the correct tools are used by corps. Do you think the VIPs of the corp are not going to want to check their fantasy teams?

So you go to a bad blocked site and what happens?? You get nothing telling you its blocked - just does not work? This block page should tell you what they are using. If NOT ASK THEM!!!

Here is some advice, its much more fun to play in the big corp sandbox then your little tiny sandbox!! You are going to be much better off working with corp vs trying to circumvent their policies.

[MaJoR ChAoS]

I have approval from the higher up to do it, without going into who I work for I'll just say that I work for a giant corp with literally 10,s of thousands of pc's (gov). There is not a snow flakes chance of me getting them to fiddle with their corp proxy which handles a massive gov department just so I can get a few (small) government branches their own ADSL access to circumvent corp proxy. (the place I work in only has 50-100 pc's)

Like I said, I have permission. I just can't involve corp office as they would be pretty busy I imagine.

There are 2 branches I deal with. Each branch has 50-100 pc's. The Government has given me permission to do it lol but they want by default all traffic to go through their corp proxy (makes sense as they after all need to control who is going where and doing what on the net), however, the Government has put in place managers at each branch who have the authority to put on ADSL but I need to control the handful of sites that are put on the allow list.

Like I said, I have permission, it's perfectly legit. However it isn't a fundamental requirement that ADSL be in place, just that these 2 managers have decided and got approval to have their own ADSL as long as the managers supervise usage.

I can't involve corp as I'm sure they have better things to do with managing a massive system and don't have the time to ass about with me and 2 managers so we can add sites like facebook, youtube , and a dozen other such sites to exlude lists. Also, the exclude list is likely to grow at the managers whims and I'm certain corp won't appreciate me emailing them every week with an updated list for them to add to the proxy that only affects my 2 branches.

So you see my predicimate and why I am here.

[TurboTuna]

I have approval from the higher up to do it, without going into who I work for I'll just say that I work for a giant corp with literally 10,s of thousands of pc's (gov). There is not a snow flakes chance of me getting them to fiddle with their corp proxy which handles a massive gov department just so I can get a few (small) government branches their own ADSL access to circumvent corp proxy. (the place I work in only has 50-100 pc's)

Like I said, I have permission. I just can't involve corp office as they would be pretty busy I imagine.

There are 2 branches I deal with. Each branch has 50-100 pc's. The Government has given me permission to do it lol but they want by default all traffic to go through their corp proxy (makes sense as they after all need to control who is going where and doing what on the net), however, the Government has put in place managers at each branch who have the authority to put on ADSL but I need to control the handful of sites that are put on the allow list.

Like I said, I have permission, it's perfectly legit. However it isn't a fundamental requirement that ADSL be in place, just that these 2 managers have decided and got approval to have their own ADSL as long as the managers supervise usage.

I can't involve corp as I'm sure they have better things to do with managing a massive system and don't have the time to ass about with me and 2 managers so we can add sites like facebook, youtube , and a dozen other such sites to exlude lists. Also, the exclude list is likely to grow at the managers whims and I'm certain corp won't appreciate me emailing them every week with an updated list for them to add to the proxy that only affects my 2 branches.

So you see my predicimate and why I am here.

It would take corporate all of 3 minutes to setup an exclusion for the users. or even the entire subnet range.

In retrospect, its going to take you hours to find a solution, even longer to implement it - and then what happens when you have to support and troubleshoot it? You clearly don't know enough of how routes work to as you've posted here asking how to do it - what happens when it goes down and takes our all internet access? You're in the ****, thats what.

If you're going to do it, do it correctly.

[dann23]

I need to setup a proxy server that has 2 routes to the internet.

by default I want all users to be routed to a proxy server at main office. the main office proxy does all the web filtering etc. On the main office proxy they block facebook etc., but in 1 or 2 branch offices I need to route facebook and a few other banned sites to the office ADSL.

Can ISA or Forefront do this, or do I need a 3rd party program?

You can do it with forefront tmg or isa server. I can help if you want.

[MaJoR ChAoS]

It's an assignment. you would think someone would have come up with a program to easily do it. it's not like it's a complex idea.

too hard basket, not going to bother.

[TurboTuna]

It's an assignment. you would think someone would have come up with a program to easily do it. it's not like it's a complex idea.

too hard basket, not going to bother.

Do your homework on your own...

But somebody has come up with a program to do this...It would already be inplace at your 'location' and the change is trivial.