Appendix D. Proxy server configuration

Table of Contents

Configuring Microsoft ISA Server 2004/2006
Configuring Squid Proxy
Squid authentication with LDAP / Active Directory
Restricting Internet Access for users without credit

Configuring Microsoft ISA Server 2004/2006

This setup guide is not intended to be a full setup guide for ISA Server 2004/2006, but provides the minimum steps involved in getting ISA set up to work with PaperCut NG.

  1. Install ISA Server 2004/2006 from the installation media as per ISA Server installation documentation.

  2. When prompted for your internal address ranges, make sure you accurately specify all IP address ranges that your internat network uses.

  3. Open the ISA Server management console ( StartProgram FilesISA ServerISA Server Management Console).

  4. On the left menu select the Monitoring node of your ISA Server, and select the Logging tab.

    ISA Server 2004/2006 - Logging tab

    Figure D.1. ISA Server 2004/2006 - Logging tab

  5. On the right hand side of the logging pane, select the Configure Web Proxy Logging option.

    ISA Server 2004/2006 - Configure Proxy Logging option

    Figure D.2. ISA Server 2004/2006 - Configure Proxy Logging option

  6. Select the File logging option and ensure the W3C extended log file format is selected.

    ISA Server 2004/2006 - Using the W3C log file format

    Figure D.3. ISA Server 2004/2006 - Using the W3C log file format

  7. Click the Apply button to enable the W3C log format.

    ISA Server 2004/2006 - Applying changed log settings

    Figure D.4. ISA Server 2004/2006 - Applying changed log settings

  8. Check that the web proxy server is enabled for your internal network by selecting the Firewall Policy node on the left, opening the toolbox on the right, and opening the properties for the internal network under ToolboxNetwork ObjectsNetworks.

    ISA Server 2004/2006 - Properties for the internal network

    Figure D.5. ISA Server 2004/2006 - Properties for the internal network

  9. On the Web Proxy tab, ensure that the HTTP proxy is enabled.

    ISA Server 2004/2006 - Enabling the HTTP proxy

    Figure D.6. ISA Server 2004/2006 - Enabling the HTTP proxy

  10. Define a new User Set that will control the list of users to restrict access for. To do this select ToolboxUsersNew.

    ISA Server 2004/2006 - Creating a new user set

    Figure D.7. ISA Server 2004/2006 - Creating a new user set

  11. Define the User Set name as something meaningful like PaperCut NG Internet Users or just Internet Users.

  12. When prompted to select the users for this set, press Add and select Windows users and groups....

    ISA Server 2004/2006 - Adding Windows users to a user set

    Figure D.8. ISA Server 2004/2006 - Adding Windows users to a user set

  13. Select the Windows security group that you defined for PaperCut NG to use when allowing/disallowing internet access based on the user's credit.

  14. By default ISA server disallows all traffic, so a rule needs to be defined to allows users to access the internet if they belong to the Internet Users Windows security group defined for use with PaperCut NG.

  15. On the Firewall Policy screen, select the Create New Access Rule from the Tasks tab on the right.

    ISA Server 2004/2006 - Creating a new access rule

    Figure D.9. ISA Server 2004/2006 - Creating a new access rule

  16. Give the access rule an appropriate name. For example PaperCut NG Internet Access.

  17. Select Allow to indicate that matching this rule allows access.

    Important

    If you have configured PaperCut NG to populate the security group with denied users (see the section called “Using a deny group for Internet access control”), then a Deny rule should be created instead.

  18. When prompted for the protocols to allow, select Selected protocols from the list, and add the HTTP protocol to the list.

    ISA Server 2004/2006 - Allowing the HTTP protocol

    Figure D.10. ISA Server 2004/2006 - Allowing the HTTP protocol

  19. Then when prompted about which sources this rule applies to, select your internal network.

    ISA Server 2004/2006 - Setting the internal network as the rule source

    Figure D.11. ISA Server 2004/2006 - Setting the internal network as the rule source

  20. Select the External network for the Access Rule Destination.

  21. When prompted for the User Sets, select the previously defined User Set that contained the PaperCut NG Internet Access Windows group.

  22. Press Finish to complete the definition of the Access Rule.

  23. Click the Apply button to enable the changes to the User Sets and Access Rules.

    ISA Server 2004/2006 - Applying changed access rule settings

    Figure D.12. ISA Server 2004/2006 - Applying changed access rule settings

    Important

    This configuration assumes that the default ISA access rule for users is a Deny rule. This means that if the user does not belong to the PaperCut NG Internet Access Windows group then they will be denied Internet access. If your ISA server is configured with a default Allow rule, then this rule should be modified to a Deny rule and other rules adjusted appropriately.

  24. Ensure that PaperCut NG is correctly set up to find the ISA Server 2004/2006 log files. For more information see the section called “Internet Control service setup”.