Hi
I have a problem with my set up.
I have a Clearbox running Clearos 6.3 and I have two different LANs defined.
1 LAN and 1 HotLAN
The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN.
The problem now is that the clients on the HOTLAN do not have to enter a username/password to be able to access web-content on the Internet.
User authentication is enabled
Transparent mode is disabled
The users on the normal LAN have to use username/password via the proxyserver to access web-content on the Internet.
My question is now. How to force users on HOTLAN to have to enter username/password for web-content.
I have traced the traffic from the clients on the HOTLAN an the traffic is going through the proxy.
I have a problem with my set up.
I have a Clearbox running Clearos 6.3 and I have two different LANs defined.
1 LAN and 1 HotLAN
The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN.
The problem now is that the clients on the HOTLAN do not have to enter a username/password to be able to access web-content on the Internet.
User authentication is enabled
Transparent mode is disabled
The users on the normal LAN have to use username/password via the proxyserver to access web-content on the Internet.
My question is now. How to force users on HOTLAN to have to enter username/password for web-content.
I have traced the traffic from the clients on the HOTLAN an the traffic is going through the proxy.
Share this post:
Accepted Answer
This is by design. The proxy is NOT enabled on the HOTLAN because if it was then users on the HOTLAN could surf the LAN. Basically, the ClearOS server is trusted to the LAN and can communicate with it freely. If you use the server as a proxy then surfing is a trusted activity for the server itself and users on the HOTLAN would be able to surf the LAN. As you stated...
"The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN."
Giving HOTLAN users access to the proxy means that they would be able to see and communicate with the clients on the LAN since they would be using the server as their intermediary.
You can override this behavior, however, with custom firewall rules that override the firewall redirect of ports and with overrides on the proxy server to accept proxy connections from this extra LAN but it is not part of the design nor is it a supported method because it, quite frankly, ruins the whole security paradigm of the HOTLAN.
Having a second ClearOS server just to filter your HOTLAN is a common solution. You can even virtualize it if your hardware supports that sort of thing. A service like DNSthingy would filter both networks but currently it is an either/or between this service and the content filter.
"The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN."
Giving HOTLAN users access to the proxy means that they would be able to see and communicate with the clients on the LAN since they would be using the server as their intermediary.
You can override this behavior, however, with custom firewall rules that override the firewall redirect of ports and with overrides on the proxy server to accept proxy connections from this extra LAN but it is not part of the design nor is it a supported method because it, quite frankly, ruins the whole security paradigm of the HOTLAN.
Having a second ClearOS server just to filter your HOTLAN is a common solution. You can even virtualize it if your hardware supports that sort of thing. A service like DNSthingy would filter both networks but currently it is an either/or between this service and the content filter.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »