Wireless Access

Reply
Highlighted
MVP

Best way to force guests to use a proxy?

At several customers their guests are required to use a proxy server to browse the web.
Having guests with a multitude of browsers needing to set their proxies is a supports nightmare though.

For IE users setting dhcp option 252 with the correct wpad.dat (proxy.pac) file helps, but the user still needs to have checked the "automatically detect settings" button in IE's proxy config screen.
Firefox users are even 'worse' since firefox doesn't listen to the dhcp option but wants dns instead. Now I can't get the controller to serve http://wpad/wpad.dat and adding an extra webserver just to serve

So onto my question.. is there no other solution where I can redirect any and all http traffic to a proxy without any user intervention? If this isn't possible, how do I get firefox and other browser users to the proxy with as little configuration as possible and no extra servers (like IE's 1 checkbox)?
Is this solvable at all?
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Proxy

Koenv,

Looks like you did your homework.

If you have a transparent proxy, the easiest way to get users to it is to write a firewall policy that destination NATs any port 80 traffic to the IP address and port of the proxy and apply it to that user role. In this example, the proxy is at 10.1.1.50 on port 8080.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Best way to force guests to use a proxy?

Well, we are in the proccess of redircting users to T Proxy and would probably use the below rule too.

What is ESI Group? I thought of using that instead of nat
in cli, it has a lot of options to be configured, and we are planning to do it this way:

esi server Tproxy
trusted-ip-addr 166.87.255.15
mode nat
dport 80

Then
MVP

Re: Best way to force guests to use a proxy?


Koenv,

Looks like you did your homework.

If you have a transparent proxy, the easiest way to get users to it is to write a firewall policy that destination NATs any port 80 traffic to the IP address and port of the proxy and apply it to that user role. In this example, the proxy is at 10.1.1.50 on port 8080.




I'm confused. As soon as I have my controller dst-nat anything.. how will the proxy that comes after that know what website I was trying to reach?
Say my guest tries to reach http://google.com. If we have the controller dest-nat that traffic to the proxy that traffic arrives at the proxy like it was destined for the proxy and not google right? It won't know where to forward this traffic.

Or am I misunderstanding what a transparent proxy is exactly?

And sorry Ghubari, never heard of ESI group before.
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Transparent Proxy

Wikipedia explains it better than I ever could: http://en.wikipedia.org/wiki/Transparent_proxy#Transparent_and_non-transparent_proxy_server

To make it short, the proxy maintains a list of requests and makes requests on behalf of the clients that have made requests. When the request returns from the web to the proxy, it delivers it to the client.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Best way to force guests to use a proxy?

Hi Guys, ive configured a rule below the standard mswitch rule inside the captiveportal policy to nat the traffic to the proxy server, however, a packet capture shows the wifi client sending the traffic direct to the resolved IP of the website, not the proxy server

Can anyone help diagnose why this nat rule is not working

thanks

user mswitch svc-https dst-nat 8081

user any svc-http dst-nat ip 163.8.85.68 8080 <-- this is our proxy and its IP

user any svc-https dst-nat 8081
Guru Elite

Acl Hits

Type "show acl hits" on the commandline to see what rule you are REALLY hitting for Http(s).


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Best way to force guests to use a proxy?

One single lonely hit, that doesnt seem right though as I was sending wireless traffic destined for the internet which should have hit that rule...
Guru Elite

Role

What Role is the user in (show user)? When you find out that role, type "show rights " to see what firewall policies are assigned to that role.

From the firewall policies, it seems that you are adding the redirect to the "logon" role for that user. You might want to add those policies to the resultant "guest" role that the user gets AFTER logging in.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Best way to force guests to use a proxy?

OK, great, ill check that - just waiting for the wireless device to come into the office :) Ill let you know. Thanks
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: