Proxy-server

Proxy-server configuration

A local network of computers can be connected to the global network (Internet) via a single data transmission channel (gate). One of the advantages of that networking solution is the possibility of use the caching proxy-server to cache incoming files. Popular pages would be cached at first visit, saved and reused responding to later requests. That would speed up request processing and reduce the amount of incoming traffic.

Proxy-server listens to the incoming requests from the local network and, if necessary, transmits them to the outer network. Server waits for the incoming connection on the configured port, which by default has standard value 3128. If for some reason the use of that port is unwanted, any another value can be used.

Source address of each request is checked for internal network membership. In order to forward the local network-originated requests the corresponding network address group should be added to the list of internal networks (subnet address and address mask) at the Networks section.

An other restriction under which the request is forwarded is the destination port range. If the destination port number of the request is not contained in one of the registered port range the access to the outer network is denied. The list of registered port numbers (services) can be managed in the Ports section.

Proxy-server can operate in two modes: standard and transparent. Standard mode implies (manual) reconfiguration of the programs in the local network. For that reason the other mode -- transparent -- became very popular. In transparent proxying mode all local network-originated requests sent to the registered services (ports) on the global network are automatically intercepted at the gate. Local network programs continue to work without any reconfiguration as there is no proxy at all. The main drawback of the transparent mode is the lack of any user identification mechanism -- all of the requests are anonymous.

The main advantage of the standard proxying mode which can be used after reconfiguration of the programs in the local network are a number of user authentication mechanisms. To enable authentication select one of the authentication methods other than "no authentication".

Outer network access policy consists of an authentication policy (method) and a number of user group based domain access policies. Use the Groups section to view and edit that policies. For each group of users a number of restricted (or allowed) domains can be defined. For the user group membership management system-wide module "Users/Groups" can be used. Access policies for special groups "All users" and "Authenticated users" are processed in some different way than the individual policies for user groups.

Individual policies for user groups are point-like: allowing access to some domains doesn't mean that it is denied for other domains. Same thing for the denying policy. Having the highest priority these policies are useful to define exceptions.

Allowing policy for "All users" is a white-list of domains with a priority level higher than the analogous policy for "Authenticated users". The access to the domains is granted to all users if the individual policies don't deny it. This policy is useful when you do not care to deny the access to some public sites such as search engines by default. However, when the domain list is empty, by default, the access is granted to absolutely all sites.

Allowing policy for "Authenticated users" is a white-list of domains with a priority level lower than the previous one. The access to the domains is granted to all authenticated users if the individual policies don't deny it. Useful when you want to grant some more privileges to the logged-in users comparing to the anonymous ones. However, when the domain list is empty, for such users the access is granted to absolutely all sites by default. It is useful when you want to restrict the Internet access mostly for anonymous users.

Denying policy for "Authenticated users" is a black-list of domains with the higher that the analogous policy for "All users". The access to the listed domains is denied for a logged-in user if neigher an individual policy or the "All users" policy grants it. Furthmore, the access is granted to all non-listed sites. The policy is useful when there are only few restrictions for logged-in users and more restrictions for anonymous ones.

Denying policy for "All users" is a black-list of domains with the lowest priority: the access to the listed domains is denied for a user if any other policy doesn't grant the access and all non-listed sites are permitted. The policy is useful when there are only few restrictions for Internet access at all.

View proxy-server statistic reports

Information on every request forwarded to the outer network is fixed in the proxy-server log. That statistical data is processed on a regular basis to emerge traffic reports. The reports include information on size of received responses and time consumed. The reports are accessible in the Statistics/Proxy-server module. If statistic collection is not switched on (Enable statistic data collection) new network usage data are not written to the statistical database.

The main purpose of the module is the network usage statistic display If one of the authentication method is used to control network access the reports are generated on per-user basis. Otherwise the local network address is used as request identifier.

Displayed report is not updated automatically. To update it use "Update" button. Each update is done with the use of the selection settings which can be modified. Report records is ordered by the descending of the amount of the received data.