A customer is requiring a setup where the mobile users (IOS Iphone-Ipad and Android) are automatically pointed by routing to a Webgateway (Virtual Appliance) in transparent mode.
At this point he wants to authenticate his mobile users against Active Directory before applying the policy and let them navigate.
Customer is willing to displace an existing squid that (his words) does the jo today (in transparent mode as well)
Any experience/suggestion on how to do it?
running MWG in transparent modes is not a problem. Any mode should do it.
Add an authentication server which utilizes cookie authentication to the policy. Clients will be redirected to the authentication server and asked for authentication. Once authentication succeeds they obtain a cookie which is used to authenticate further requests.
I never tested it before...just wanted to be sure that the mobile devices Apple/Android can work correctly with cookies-based authentication in transparent mode.
Just another question concerning the proxy functionality in transparent mode:
Let's assume that we only manage ports 80 and 443 for policy: if i understand correctly ALL the traffic passing toward the proxy in transparent mode will be NATted by the proxy IP itself. I Mean all the traffic, screened by policy or not will present itself to the external internet world with the proxy IP address and not with the client one (Unless i configure the spoofing feature on the proxy)
Is my understanding correct?
mobile devices should be able to deal with cookie authentication. It is basically up to the browser, but we use a similar techniques for some iPhones over here (they authenticate with a client certificate they have installed to obtain their session cookie) and that works pretty fine. So I wouldn't expect any trouble, however people will have to enter their credentials when starting to browse (unless they use a client certificate).
In regards to IP spoofing my understanding is that the IP spoofing feature only applies to traffic we have intercepted (Port 80/443). All other traffic is just passing through the box without being touched at all, so the source IP address should remain.