[squid-users] Squid communications proxy dilemma

Garri Djavadyan garryd at comnet.uz
Sun Oct 30 04:13:34 UTC 2016 

On 2016-10-29 20:40, paul.greene.va at verizon.net wrote:
> I've inherited a squid proxy at work; I'm new to squid, so this is
> still on the learning curve. Unfortunately no one else in the office
> is very good with squid either, so I'm attempting to  be the resident
> guru.
> 
> Our network is all in private IP address space. A MS WSUS server and a
> Symantec Endpoint Protection Manager server need to get through the
> squid proxy to get out to MS and Symantec respectively for their
> updates. Some other servers are coming online in the near future that
> will also need to get out to their respective vendors to get updates,
> including a Redhat Satellite server.
> 
> For these WSUS and SEPM servers, they have to go through the proxy I'm
> working with, through a Cisco firewall, upstream to a McAfee web
> gateway, and through another gateway after that. After traffic gets
> past that Cisco firewall, a different networking group is responsible
> for any upstream configuration
> 
> None of our other servers, except these specialty servers that need to
> get out to their respective vendors for updates, have direct access to
> the internet.
> 
> Our firewall guy says what he's seeing in his logs is that traffic
> destined for port 443, after it goes through the proxy, is trying to
> go straight to the vendor over the internet, rather than go through
> the upstream McAfee gateway as required, and thus, the traffic is
> getting dropped by the Cisco firewall. I did a packet capture test
> with the McAfee gateway guy, and he confirmed that no traffic coming
> from either either the WSUS or the SEPM is reaching his gateway.
> 
> I thought this line in the squid.conf file should send traffic from
> our proxy to the upstream McAfee gateway, but maybe I'm
> misunderstanding the intent of the cache_peer parent parameter.
> 
> cache_peer <McAfee Gateway IP address>      parent    8080  3130
> proxy-only no-query no-netdb-exchange default login=username:password
> 
> (if placement of this cache_peer parameter matters, its currently near
> the end of the squid.conf file)
> 
> As a test, I configured internet explorer on the WSUS server to use
> the proxy for internet access, Without configuring for the proxy, IE
> can't go anywhere except the local network. IE can hit http websites
> (i.e. www.cnn.com) when it's configured to use the proxy, but not
> https websites.
> 
> The Safe_ports and SSL_ports list is the same as the squid.conf
> defaults.
> 
> This is squid 3.3 running on Redhat 7.
> 
> Any suggestions or pointers?
> 
> PG
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Please, use plain text (not HTML) for messages next time, as it hurts 
people reading messages on web archive [1]. Also, IMO, it increases the 
chances a message would be answered. Thanks.

[1] 
http://lists.squid-cache.org/pipermail/squid-users/2016-October/013308.html

Garri

More information about the squid-users mailing list