Re: [squid-users] hopeless Windows Update problem(?)

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Tue, 11 May 2004 14:37:05 -0700 (PDT)

Just a dumb observation. You are moving them to a non-routable network
which requires them to obtain a new DHCP assigned IP address. Why can't
you define option 252 and pass them the URL for a proxy.pac file?

This would allow you to pass all HTTP traffic to Squid regardless of the
port being used.

Merton Campbell Crockett

On Tue, 11 May 2004, Michael Hocke wrote:

>
> Hi everybody,
>
> I believe I already know the answer to this but maybe somebody can throw
> me a bone and point out alternatives. This is not a pure Squid problem but
> it involves http proxying. This is the situation:
>
> Our security team is implementing a scanning system that checks Windows PC
> for vulnerabilities and virus infections. Once a computer is identified to
> be quarantined we use DHCP to put that machine into a restricted network
> that is not routable. Our idea was that we use DNS on that network to
> force any kind of web traffic to be directed to an info page that informs
> the user that his/her computer is not up to standards and that they should
> do a Windows Update and update the virus scanner definitions. The DHCP,
> DNS, and the info page part work great. The problem now is, that we have
> to provide a way for that machine to get to Microsoft's servers in order
> for Windows Update to work. We thought that Squid would do wonders here.
> Configure it as transparent proxy and make sure it considers the Host:
> header. Tighten the access controls so that only that restricted network
> can get out and only to *.windowsupdate.com,
> *.windowsupdate.microsoft.com, and wustat.windows.com. Well, in theory
> this is fine and dandy and would work if only it wouldn't be using SSL
> down the road. That is pretty much a show stopper and we can forget about
> the transparent proxy idea.
>
> I know that we are not the only ones that are trying or tried to solve
> this problem. Our network is all over the place and grew almost
> uncontrolled over two decades, consisting of many, many subnets behind T1s
> so that direct access to the internet for that purpose is pretty much out
> of question (using NAT for example). So is WCCP or other things we could
> do on router level. SUS or SMS is not going to work either because a) it
> doesn't really have the entire repertoire of update packages and b) it
> requires support from the client and c) we deal with personal computers
> here that belong to the students and not to the organization. That would
> work in a corporate world but not on our campus.
>
> Anything else we could look into? Would contacting Microsoft do any good?
> The only solution I have right now is keep the proxy but have the infected
> end-user configure a proxy auto config script into his browser.
>
> Thanks for any pointers, ideas, comments.
>
> - Michael
>

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard
Received on Tue May 11 2004 - 15:39:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:01 MDT