Location of Proxy Server on Network

[imported_GLO]

I found this example on the web.School Proxy server

And although i thought that proxy servers should always be at a central point on the network, the above network implies that it can be situated anywhere on the lan as long as it is directly connected to the router.

So if this is correct i plan to implement the following:
My planned home network
which i would utilise a dedicated PC to handle the web proxy server, as well as a file server for music,pics, software and also run utorrent or Shareaza plus weekly backups of a few PCs.

Further info: The wireless router Asus WL500g is running DD-WRT firmware and i plan to enable QoS and bandwidth monitoring/shaping. I am about to read about IP tables as i believe that this is required for the proposed set up.

The Server would be running XPpro SP2 with something like Janaserver2 handling the proxy server. ( I realise that there are a number of Linux solution available but i want to exhaust this avenue first of all)

Can anyone please confirm if this is completely viable in the proposed config.

Thanks in advance.

 

[RebateMonger]

A Web proxy server can be located anywhere in the network, as long as it can reach the Internet. If you want to be SURE that client PCs can't "override it" and talk directly to the Internet, then it's safest if you use a dual-NIC arrangement that forces all Web traffic to pass through the proxy server.

 

[azev]

or, you can create rules to block all external access out from all ip address except the proxy ip.

 

[nweaver]

indeed, the RM and azev have it right, you can force it several different ways, but if you want a "transparent" proxy (i.e. no settings in browser) I believe you have to have a dual nic inline solution.


I would look at smoothwall, as it's easy to setup, has a web UI, and squid proxy integrated.

 

[RebateMonger]

Originally posted by: nweaver
indeed, the RM and azev have it right, you can force it several different ways, but if you want a "transparent" proxy (i.e. no settings in browser) I believe you have to have a dual nic inline solution.

Well, one of the questions is what you consider a "Web Proxy" to be. It can either be a "Web Browser Proxy", or it might be an "Internet Proxy", meaning that it not only handles web requests, but also handles ALL traffic to the Internet (FTP, IM, whatever).

If there are security concerns, then putting the Proxy Server inline FORCES the client computers to go through the Proxy Server. So the Proxy Server can decide what traffic it will allow. If you don't put the Proxy Server inline, there's always the possbility that the client computers will find ways to get directly to the Internet. A "smart" User might install a different Web Browser, that doesn't use the Web Proxy Server.

But it sounds like the OP doesn't have User issues, so, in that case, the Proxy Server can go anywhere in his/her network.

 

[spidey07]

Or the more common approach - put the proxy in some sort of DMZ.

-edit-
what I mean is there are two sets of firewalls. One from internal to DMZ. Another from DMZ to Internet. You can control your rules very well this way, plus protect the proxy server and mitigate any possibility of the proxygetting hit by a worm/virus. The only thing it needs to talk to are authentication servers and a few internet ports.

 

[imported_GLO]

Originally posted by: RebateMonger
A Web proxy server can be located anywhere in the network, as long as it can reach the Internet. If you want to be SURE that client PCs can't "override it" and talk directly to the Internet, then it's safest if you use a dual-NIC arrangement that forces all Web traffic to pass through the proxy server.

The users are unlikely to access the net directly.
My main purpose for this web proxy server for the server to cache and serve all repeat http and ftp requests faster, whilst allowing for active content to be sourced from the internet.

This would be transparent to the end user,but could be disabled in their browser if need be.

Originally posted by: nweaver
indeed, the RM and azev have it right, you can force it several different ways, but if you want a "transparent" proxy (i.e. no settings in browser) I believe you have to have a dual nic inline solution.

I would look at smoothwall, as it's easy to setup, has a web UI, and squid proxy integrated.

I dont need to have a Dual Nic inline solution. If i did then wouldnt that mess up the file server and back up ability?

If there are security concerns, then putting the Proxy Server inline FORCES the client computers to go through the Proxy Server. So the Proxy Server can decide what traffic it will allow. If you don't put the Proxy Server inline, there's always the possbility that the client computers will find ways to get directly to the Internet. A "smart" User might install a different Web Browser, that doesn't use the Web Proxy Server.

But it sounds like the OP doesn't have User issues, so, in that case, the Proxy Server can go anywhere in his/her network.[/quote]

I do want all traffic to check with the proxy server to see if any content is already stored, and can be served locally.

I manage all the PCs on the LAN so i can easily set up the proxy settings in their browsers.

Originally posted by: spidey07
Or the more common approach - put the proxy in some sort of DMZ.

-edit-
what I mean is there are two sets of firewalls. One from internal to DMZ. Another from DMZ to Internet. You can control your rules very well this way, plus protect the proxy server and mitigate any possibility of the proxygetting hit by a worm/virus. The only thing it needs to talk to are authentication servers and a few internet ports.

The Cable Modem and Wireless Router both are hardware firewalls. Proxy is simply to speed up http and ftp requests, and subsequently minimise bandwidth.

The wireless router will also handle QoS so any data being sourced from the internet will be prioritized accordingly, and LAN traffic (served by the proxy server) would not be limited at all.

If the Proxy server is just located on the LAN as per my proposed network diagram, there would be no need or benefit to use Dual NICs would there?

 

[imported_GLO]

Originally posted by: nweaver
indeed, the RM and azev have it right, you can force it several different ways, but if you want a "transparent" proxy (i.e. no settings in browser) I believe you have to have a dual nic inline solution.


I would look at smoothwall, as it's easy to setup, has a web UI, and squid proxy integrated.

Hi nweaver,

Further research on my part shows that the DD-WRT firmware on the Asus WL500g router has the ability to set up a Transparent Proxy Server.

Infact their solution recommends using Squid also.

Please have a look and let me know what you think? And if there is anything else i need to consider.

Thanks in advance