Dimitri I am using the latest Censornet in the way you describe in diagram one.
In the Censornet Web site, under Support, there's a section called Network Diagrams. I'm trying to set up the second of the schemes, Standard BridgeMode. The write-up states:"This is the most common form of Bridged CensorNet design. Note that we never recommend the use of Bridge Mode unless you have your own firewall to protect your perimeter. Although the CensorNet still has two network cards, connected in a similar fashion to the Basic Router Mode option, it only has one IPaddress, purely for administration purposes. The firewall shown in thediagram will have an internal address on the same subnet as the rest of thelocal LAN." So, just as in the diagram, I've tried this: internet | router | firewall--------DMZ | Censornet | Switch | LAN
This is good.
I'm able to get both user and workstation data from our AD server into Censornet. I'm able to reach the Censornet Web admin gui from myworkstation. I'm able to ping both my workstation and an outside site from the Censornet box. I've set up the correct address and port in Web browser proxy settings. Depending on how I wire the Censornet box to the firewalland/or LAN, at worst I'm continually prompted for a uname and pw.
This is a feature, not a problem and is exactly what is supposed to happen with Censornet. It sounds like you have everything working just right.
At best, I'll get a Censornet "Authentication Failed" message.
If, for example, you don't have the correct proxy settings (or if a user deliberately tries to bypass the proxy) you encounter this message - once again exactly what should happen.
As to this last, there's obviously an authentication problem. Remember, I can see both isers and workstations in the Censornet Web gui. All the proper access permissions are set for both. But, I have no idea whether it's an iptables issue or a Censornet issue. A perusal of the logs on both systems
It sounds like you want the Windows user to automagically be logged in as the Internet user, but that's not the way Censornet works. You have to log in to the web independently, even if you have already logged into Windows and authenticated against your domain (is sounds like you're running windows on the desktop here right?). This is how Censornet logs access. In other words Censornet is not a transparent proxy that makes use of the user authentication login details - it a separate and self-contained logging and authentication system. The fact that it imports the user accounts from your AD is merely a convenience so that you don't have to recreate them all manually. It also means that one user can login to the Windows PC and another can log into the Internet on the same PC oat one time - it is is the username that logs onto the Internet that will be tracked and logged in the Censornet Webalizer, not the Windows AD authenticated user.
Hope this helps ed
Attachment:
smime.p7s
Description: S/MIME cryptographic signature