Enterprises with multiple geographically distributed locations, face challenges in enforcing a universal Internet Access Policy across the enterprise. Usually, each location deploy their own preferred content filtering solution, and hence can not synchronize the Corporate Internet Access Policy (CIAP) globally. SafeSquid's Multi-Proxy or Master-Slave feature allows you to enforce your CIAP universally across the enterprise, irrespective of the geographical location of a remote office. Master-Slave configuration ensures that policies are enforced globally, and that any changes made to the policies on the Master SafeSquid server, get synchronized to all the Slave servers across the Enterprise, in real-time, thereby greatly reducing an Administrators management overheads. SafeSquid's Master-Slave feature is so granular, that you can define unique user authentication mechanism for each location, unique access policies for a specific location, exclude or include locations a policy should apply to, create granular access policies based on the group a user belongs to, and much more. Master-Slave can be implemented, irrespective of whether the Enterprise has a common Internet Gateway or a distributed one.
Master-Slave in a central gateway scenario
Master-Slave in a distributed gateway scenario
A Master server can be set up in the normal way you would set up a stand alone server, and you do not have to do anything extra during the installation, except ensure that the Slave servers are able to access SafeSquid interface, either on a private internal connection, or via the Internet. For allowing access to SafeSquid Interface via Internet, you will have to make the Master server listen on a static (live) internet IP. Next, you need to make the Master server listen on an additional port on which to allow access only to the SafeSquid interface, other than the port on which it will server the users. Then create entries in the Access Restrictions section, to allow the slave servers to access the interface. If the remote locations have static internet IPs too, it would help in securing access to the Interface based on the IP of the locations, and not from anywhere else.
Suppose the Master SafeSquid is listening on port 8080 (default). Now, you need to make it to listen on port 8081 too, and allow access only to the web interface on this port. To make SafeSquid listen on port 8081, go to Config > Network settings and create the following entry -
Next, click on 'Save settings' in the Top Menu of the interface, save the settings, and restart SafeSquid service. When SafeSquid starts this time, it will listen on both, port 8080 and 8081. Next, you need to create an entry under Access Restrictions, to allow access only to the SafeSquid interface, on port 8081.
The above entry means that the proxy will accept requests on the specified interface (IP=152.23.163.10 which is supposed to be the static IP, and PORT=8081) from the specified source 'IP Address' (from any source IP if left blank) and allow them access to the web interface (Access=config). It will additionally apply a profile 'SLAVES' to such requests.
Note: The entries in Access Restrictions are applied from top-to-bottom hierarchy. The first entry that matches is applied, and the rest are ignored. Hence, all IP based entries should precede non-IP based rules, else the entry will never be applied.
At each of the remote locations, while installing SafeSquid, you will need to define the IP:PORT of the Master server, from where the Slave can fetch the configuration file, for synchronization. based on the above example, this would be 152.23.163.10:8081, the IP and port that is configured on the Master server to allow access to Slave servers.
Master Proxy Configuration Section in SafeSquid for Windows Installation
Synchronization Time Setting in SafeSquid for Windows
Master Proxy Configuration Section in SafeSquid for Linux Installation
Synchronization Time Setting in SafeSquid for Linux
By default, these values are a blank in both SafeSquid for Windows and Linux. You need to change this to 152.23.163.10:8081. The polling interval in seconds, at which the Slave should request configuration updates from the Master server, is by default set to 60 seconds. You can change it to any acceptable value.
Another point to note during the installation, is to define a unique HOSTNAME for each SafeSquid Slave. You can either specify the HOSTNAME during the installation, or leave it blank, and later specify it from the SafeSquid Interface > General Section. Specifying a unique HOSTNAME will help you later, for defining granular policies based on these hostnames.
Once done, when the SafeSquid Slave server starts, it will fetch the configuration file from the Master Server, and then update itself again every 60 seconds. You can verify if the Slave is properly synchronizing with the Master, from the 'View log entries' in the Slave web interface. You should find entries similar to the below screen shot -
You can use the unique HOSTNAME of a Slave server, to create granular polices, that should apply to specific Slave servers. For example, if you would like a Slave server, with hostname PROXY3, to authenticate users from an LDAP / Active Directory Server within its network, all you need to do is specify the hostname of slave server in the entry that you create in the LDAP Configuration section, with its local authenticating server details. This way, you can configure a unique authenticating server for each slave server.
Similarly, you can create unique profiles too, that should apply to specific slave servers, by defining their hostname, in the 'Proxy host' field. This field supports regular expressions, so you can create a profile to cover multiple slave servers, e.g. (PROXY3|PROXY5|PROXY8)
You can then use the profiles so created, in any of the filtering sections; like URL Filtering, Mime Filter, Keyword Filter, etc. for defining granular access policies.
Download: You can download SafeSquid free editions from here.
Also see: Other SafeSquid howtos
No comments:
Post a Comment