1

I am using Windows Server 2012 in which I have shared internet through NAT to a secondary LAN card using routing and remote service.
The problem is that when my clients are browsing through proxy 10.0.0.1:3128 everything goes right, but when they remove this proxy from Internet Options then they are able to browse the websites which are blocked by the proxy.

How can I redirect the client traffic to go through the proxy server only?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Neeraj Mehta
  • 111
  • 1
  • 5
  • 3
    Quick and easy: block all other connections with a firewall, only allow connections from client to proxy. Alternatively, use a transparent proxy. – Karl Hardr Feb 18 '15 at 14:57

3 Answers3

4

If you set up a proxy as a filter, you should deny all requests that does not come from the proxy itself.

This will force user to go through the proxy or not having access at all.

Usually, user should not have access to the proxy configuration unless they are meant to change it.

M'vy
  • 13,033
  • 3
  • 47
  • 69
  • could you please send me some link where i can read it and implement it – Neeraj Mehta Feb 20 '15 at 09:01
  • Unfortunately, I can't. It depends your network architecture, you have to setup your switches, routers, firewall or whatever you use in your company. Find the manual and then search of to deny traffic forwarding for not allowed IPs. – M'vy Feb 20 '15 at 10:08
0

The simplest way would be to disallow IP forwarding between the internal and external interfaces. That way only HTTP/HTTPS traffic passing through the proxy will be allowed. But this simplistic solution cannot be used if non HTTP(S) traffic must be allowed, for example SMTP, IMAP, POP or DNS. So to make it acceptable, you must setup filtering rules explicitely allowing some ports (or some machines) while forbidding HTTP(S). In medium to large organizations, you would setup mail and DNS systems that would be allowed to use those ports through the external firewall while all client machines would only be allowed to use the HTTP(S) proxy.

The remaining is no more than my opinion. Windows 2012 server is an excellent OS to build internal servers, because if offers rich services through AD. But to build secure firewalls exposed to the internet, I would prefere simpler systems like Linux or even better BSD, because they can more easily be stripped down to contain only the applications and services required for that usage: typically no X11 GUI interface but a reliable IP filtering service (IPTABLE, IPF, IPFilter, etc.) and optionaly(*) some proxies. The rationale behind that is just: the less services open on the bastion host, the less potential vulnerabilities. Of course, it highly depends on the size of your network and your knowledge: if you are an expert in securing Windows servers, and know little or nothing on Unix basic configuration, this will not be an option...

(*) as some proxies may be complex on a configuration or code size point of view, it can make sense not to install them on the bastion host itself but on another server

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

Lazy mans option would be to change the gateways IP address , and make sure it's not being set via dhcp. This way machines ( without knowing the ip of the gateway ) would have no access to the open internet .

P.s. Setup the proxy server itself with the appropriate IP address.

Damian Nikodem
  • 769
  • 4
  • 8