AD Server,Web Proxy Server and Group Policies


(R.S.Sundar) #1

Hello All,

I have configured Nethserver 6.6 and configured as Proxy Server and when i configure this server as PDC,
Iam able to use as proxy server.
Problem 1: - When i configure the system as PDC, Iam not able to join the Domain
Problem 2:- Proxy server and filters are working. How can i control the client machines (Windows 10 Pro and Windows 8,8.1 ) which has Internet Explorer, CHrome and FIrefox so that users cannot change the Proxy Setting.

Just for comparison, In Zentyal, when i configure the Server as AD server, we can configure it as AD Server and use group policies to control the setting so that users cannot change proxy setting in IE.

Can somebody help how whether i can use Nethserver as AD Server with group policies to control Proxy settings

Thanks in Advance.

Best Regards,
R.S.Sundar


(Filippo Carletti) #2

AFAIK, group policies are not available.
I’d block web surfing to the lan except for who’s using the proxy (there’s a checkbox in the proxy page).


(Gabriel GHEORGHIU) #3

Hello Sundar

You must configure Web proxy like this:

On the right side of the page you have Help button. Press and you will find more explanations.
Gabriel


(R.S.Sundar) #4

Thanks Filippo Carletti,I have a requirement where NO Windows server is available. I need to log and allow web users at a specific time which i created using Web filters. All works fine in Web Proxy End. Users are connected to lan 192.168.1.0/24.This server ip is 192.168.1.50 and is in Workgroup mode. When we configure this server 192.168.1.50:3128 in users machine, all works fine. But we want to control in clients machines, in such a way no users should be able to change thier proxy setting


(Filippo Carletti) #5

I think that you need a registry patch on windows:
https://<your_nethserver:980/winregistry-patches/


(R.S.Sundar) #6

Thanks Gabriel GHEORGHIU, Proxy server works fine and the requirement is everytime, when users login they need to type the username/password since for logging. Client machines have one userid called user1 which is not administrator. This user machines will be used by multiple users (seperate user ids have been created in Nethserver and works fine). Every user when they log , they type password and this gets logged which userid is using and going to which site. This part is ok and the problem now is how to control proxy setting in user machine


(R.S.Sundar) #7

I used the registry setting and still not able to join the domain


(Gabriel GHEORGHIU) #8

For Firefox: Options -> Advanced -> Network -> Connection Settings -> usually, “Auto-detect proxy settings for this network”.

For IE and Chrome: from IE, Internet Options -> Connections -> Lan settings -> usually, “Automatically detect settings”.

Should work.
Gabriel

PS

Also, read this: http://docs.nethserver.org/en/latest/web_proxy.html


(Gabriel GHEORGHIU) #9

Please read this: http://docs.nethserver.org/en/latest/samba.html


(Giacomo Sanchietti) #10

Since someone already asked for Active Directory groups support inside the proxy, here the explanation why we can’t do that: http://dev.nethserver.org/issues/3345


(Gabriel GHEORGHIU) #11

@giacomo
I think is possible with Samba4 and use group policy with pac file.


Can we deploy NethServer to replace Windows AD?
(Stefano) #12

that’s odd… if NS is a member of an AD forest, it uses users from AD…

that said, all daemons must search/use ldap against AD

see, for squidguard example: https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/


(Giacomo Sanchietti) #13

This is a limitation of current implementation since the group is expanded in a list of users:
https://github.com/NethServer/nethserver-squidguard/blob/master/root/etc/e-smith/templates/etc/squid/squidGuard.conf/40src#L19

This could be a good solution, but all other software do not uses this approach (except for SOGo): we are using directly PAM to integrate users inside the system.

What do you think about a centralized page for all AD credentials?
A page like this should contain:

  • server address
  • bind dn
  • bind passwordpassword

Then, all templates which need such information can access it from a centralized db key.
What do you think of this silly idea @davidep? :smile:

In the meanwhile, @zamboni would you like to create a new template which uses AD directly and stores bind data in a couple of prop inside squidguard key? :wink:

Edit: I updated the bug with proposed solution


(Davide Principi) #14

I’m not sure it have to be a DB key, but yes, we need to find a good place where this information is stored and define an API to consume it inside templates, for those services (like s**o) that don’t want integrate themselves with the system PAM, SSS, NSS…