Can you please tell me how to allow external http traffic through a host on the local network, authorizing users through AD?

F

Fall_Angel2012-05-02 18:54:03

Microsoft

Fall_Angel, 2012-05-02 18:54:03

Good afternoon everyone.
There is the following problem.
There are some rather sophisticated services that authorize us by external IP.
We need to give access to external users with an account in our Active Directory to these services by passing traffic through our server. In addition, it would be nice to have statistics on the use of these services.
Please tell me how to organize it beautifully.

I myself see the following options:

1) An anonymizer script (for example, CGIProxy) installed on an internal web server. But there is a question with authorization of external users through AD.

2) VPN tunnel. I like this solution, but the end user has a problem with statistics and connection settings, although this process can be partially automated.

3) Publishing an application (for example Mozilla) through an application server or RDP through a terminal server.
The problem is in the statistics, and the number of simultaneous connections ... + a bunch of other nuances.

4) A perverted version of publishing sites using MS TMG. Works unfortunately crookedly and obliquely.
With statistics, a bummer. But there are no problems with authorization.

The 6th sense hints that there is some very simple option, but is silent like a partisan. :)

I ask you for advice and a kick in the right direction, otherwise the “eye is blurry”.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

X

xtelekom, 2012-05-02
@Fall_Angel

Can be done through Squid , everything you described is supported. The statistics are also easy to screw up.

V

Vladimir Dubrovin, 2012-05-02
@z3apa3a

I see three more or less tolerably working options
: TMG quite itself conducts statistics. But you can try some other proxy. Navskiku, it should turn out Apache + mod_proxy - but did not test it.
2. Regular proxy with AD support + (optional) WPAD, so that traffic to the internal network goes through the proxy. But client IPs will also be only in proxy logs.
3. The most "transparent" solution:
Make two identical sites on iis pointing to the same folder on different IPs. In one, enable authorization, in the other, allow normal access. Through NAT to publish a site with authorization.

B

bugaga0112358, 2012-05-03
@bugaga0112358

Look at this:
www.le.ac.uk/users/sh23/adldap.html

F

Fall_Angel, 2012-05-04
@Fall_Angel

I am continuing my research on this issue.
An attempt was made to make a Reverse Proxy on IIS. Failed with a bang.
2 reasons:
- some sites give compressed content and it is impossible to change backlinks in it.
- on one of the sites there are a lot of subdomains of the 3rd level (more than 50), I was tormented by the rules of rewrite to resolve.
I also tried to use the CGIProxy anonymizer script, unfortunately it does not display sites correctly.

F

Fall_Angel, 2012-05-06
@Fall_Angel

In the end, I did the following:
Raised SQUID to the internal networks and configured Basic authorization on it via AD
Published the WPAD file and instructions for use on an external site.
As a result, interested users must enter the path to the WPAD file in the browser settings, and then traffic to the target resources goes through an internal proxy authorizing users through AD.
I really don’t like the moment with self-prescribing the path to WPAD, but at the moment this is the only solution that I see.