Versions Compared

Old Version 10

changes.mady.by.user Dick Visser

Saved on

compared with

New Version Current

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Some of our systems have extra "security needs", and they are not allowed to initiate outgoing connections by default. This means that IP ACLs are used so that they can only reach necessary services reach necessary services (SMTP gateway, DNS resolvers, NTP etc).

Because those hosts do need access to some web sites (mostly for software updates), we use a proxy server to allow them access to those domains.

...

It support both IPv4 and IPv6:

Code Block
themeMidnight
languagepowershellbash
Listen ::
#This# This will accept connections on IPv6, but also on IPv4: (IPv4-mapped IPv6 addresses are used:
#CONNECT Jan 04 15:29:13 [23566]: Connect (file descriptor 6): host.terena.org [::ffff:192.87.30.2]
Listen 0.0.0.0)
Listen ::

# This will listen on IPv4 only
Listen 2001:610:148:dead::6660.0.0.0
# This will listen only on the specified IPv6 address. Not nice, but workable.
Listen 2001:610:148:dead::666

 

Whitelist

I configured tinyproxy to block everything, except a list of domains, by using this configuration:

...

  • s-microsoft.com as well, as this is used a lot in updates.
  • mstfncsi.com is a web site used by the Network Connectivity Status Indicator, Windows' network awareness tool (see http://blog.superuser.com/2011/05/16/windows-7-network-awareness/). 
  • Don't forget that systems might access CRLs or OCSP responders, which are hosted on thawte.com and public-trust.com.
Thus my whitelist look like this:
Code Block
^(.*\.|)microsoftupdate\.com$
^(.*\.|)(s-)?microsoftmsftncsi\.com$
^(ocsp|crt)\.tcs\.terena\.org$
^(.*\.|)public-trust\.com$
^crl\.globalsign\.net$
^(.*\.|)windowsupdatesecunia\.com$
^(.*\.|)microsoftupdatethawte\.com$
^(.*\.|)secunia)(s-)?microsoft\.com$
^(.*\.|)vmwareusertrust\.com$
^ocsp\.comodoca\.com$
^(.*\.|)msftncsiverisign\.com$
^(.*\.|)public-trustvmware\.com$
^(.*\.|)windowsupdate\.com$
^(api|dellincca|downloads|ftp|)thawtewww)\.dell\.com$
^www\.adobe\.com$
^update\.exactsoftware\.com$

This list is the initial list. By monitoring the log files you can adjust the list. This is an iterative process, it takes a while to establish a list that is 'right'.

...

Code Block
C:\Users\Administrator>netsh winhttp set proxy proxy6.terena.org:8888 "<local>"
Current WinHTTP proxy settings:
    Proxy Server(s) :  proxy6.terena.org:8888
    Bypass List     :  (none)

...