Dimitri
I am using the latest Censornet in the way you describe in diagram one.
In the Censornet Web site, under Support, there's a section called
Network
Diagrams. I'm trying to set up the second of the schemes, Standard
Bridge
Mode. The write-up states:
"This is the most common form of Bridged CensorNet design. Note
that we never
recommend the use of Bridge Mode unless you have your own firewall
to protect
your perimeter. Although the CensorNet still has two network cards,
connected
in a similar fashion to the Basic Router Mode option, it only has
one IP
address, purely for administration purposes. The firewall shown in the
diagram will have an internal address on the same subnet as the
rest of the
local LAN."
So, just as in the diagram, I've tried this:
internet
router
firewall--------DMZ
Censornet
Switch
LAN
This is good.
I'm able to get both user and workstation data from our AD server into
Censornet. I'm able to reach the Censornet Web admin gui from my
workstation. I'm able to ping both my workstation and an outside
site from
the Censornet box. I've set up the correct address and port in Web
browser
proxy settings. Depending on how I wire the Censornet box to the
firewall
and/or LAN, at worst I'm continually prompted for a uname and pw.
This is a feature, not a problem and is exactly what is supposed to
happen with Censornet. It sounds like you have everything working
just right.
At best,
I'll get a Censornet "Authentication Failed" message.
If, for example, you don't have the correct proxy settings (or if a
user deliberately tries to bypass the proxy) you encounter this
message - once again exactly what should happen.
As to this last, there's obviously an authentication problem.
Remember, I can
see both isers and workstations in the Censornet Web gui. All the
proper
access permissions are set for both. But, I have no idea whether
it's an
iptables issue or a Censornet issue. A perusal of the logs on both
systems
It sounds like you want the Windows user to automagically be logged
in as the Internet user, but that's not the way Censornet works. You
have to log in to the web independently, even if you have already
logged into Windows and authenticated against your domain (is sounds
like you're running windows on the desktop here right?). This is how
Censornet logs access. In other words Censornet is not a transparent
proxy that makes use of the user authentication login details - it a
separate and self-contained logging and authentication system. The
fact that it imports the user accounts from your AD is merely a
convenience so that you don't have to recreate them all manually. It
also means that one user can login to the Windows PC and another can
log into the Internet on the same PC oat one time - it is is the
username that logs onto the Internet that will be tracked and logged
in the Censornet Webalizer, not the Windows AD authenticated user.
Hope this helps
ed