Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > Web Security: HTTP/HTTPS/FTP, IM/P2P, Web Filtering and Antivirus
Reload this Page HTTP/S - Allowed Target Services question
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-08-2010, 02:27 PM
Member
  
Join Date: Oct 2008
Posts: 62
Default HTTP/S - Allowed Target Services question
Before I file for a feature request I just wanted to make sure I understand this correctly.

There is no way to limit by Allowed Target Services by IP/Subnet/Username/Group,etc.

Its sort of an all or nothing list.

I ask because I have students using the proxy who I'd like to only allow 80 and 443 and nothing else, but then our staff can access whatever is necessary. Sometimes we get an odd request for some library database using a reverse proxy on the other end so its setup to use some crazy port such as:

https://sslvpn.pitt.edu:11018/

Thanks for any input!
__________________
ASG v7.502 Software -- HP360G5, Quad Xeon E5410, 4GB RAM -- 500 User
Reply With Quote
  #2 (permalink)  
Old 02-08-2010, 04:01 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,395
Default
Well, not a great answer, but maybe a work-around.

The 'Allowed target services' apply only when the proxy is addressed directly - when the browser is pointed at the Astaro on port 8080.

If you create a Proxy Profile for the student network in transparent mode (with or without authentication), the other 'Allowed target services' will be unavailable to them. If the students are tricky enough to try to point their browsers at the to use it in 'Standard' mode, I think you can block those attempts by using a "blackhole" NAT rule: 'Student (Network) -> HTTP Proxy -> Student (Address) : DNAT to {non-existant}' - but I haven't tried that myself.

For the staff network, set their profile in Standard or AD-SSO mode, and they will have access to all of the 'Allowed target services'.

Does that accomplish what you want?

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 01:55 AM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.