Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Squid Proxy
Configuring proxy chaining | Forcepoint Web Security Cloud
Forcepoint Web Security Cloud supports the configuration of a chained Squid open source downstream proxy, in the following cases:
*
*
The Squid proxy must be version 3.1.5 or later.
Basic chaining
In this case, Squid forwards requests to the cloud proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.
Configure Squid to forward requests to the cloud proxy as follows:
1.
You should also configure direct access to the cloud portal to allow the following:
*
*
The roaming user home page (http://home.webdefence.global.blackspider.com/), if used, should also be configured as an ACL.
The following sites must be included in the ACLs:
acl WBSN dstdomain .mailcontrol.com
acl WBSN dstdomain www.blackspider.com
acl WBSN dstdomain webdefence.global.blackspider.com
always_direct allow WBSN
2.
never_direct allow all
3.
cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest
NTLM chaining
The Squid proxy performs local NTLM identification, then forwards the appropriate Proxy-Authorization headers as an NTLM Type 3 message to the cloud proxy for further transparent user authentication. Squid can maintain multiple connections to the cloud proxy, allowing the sharing of connections across users but ensuring that each request is associated with the correct user. When Squid reassigns a connection to another user, only then is a new Proxy-Authorization header sent for that user.
To use this setup, configure Squid to do the following:
1.
2.
3.
Configuring Squid for NTLM authentication
To configure Squid to perform NTLM authentication of users, refer to the Squid documentation:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
Forwarding requests to the cloud proxy
To configure Squid to forward requests to the cloud proxy:
1.
The following sites must be included in the ACLs:
acl WBSN dstdomain .mailcontrol.com
acl WBSN dstdomain www.blackspider.com
acl WBSN dstdomain webdefence.global.blackspider.com
always_direct allow WBSN
2.
never_direct allow all
3.
cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest
Forwarding user information to the cloud proxy
To configure squid to forward user information, add option login=PASS to the cache-peer line:
cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest login=PASS
 
 
 
 
 
 
 
©2020 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. All other trademarks used in this document are the property of their respective owners.
Document last updated: September 14, 2020
 

Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Copyright 2018 Forcepoint. All rights reserved.