Squid Transparent Proxy Server on Windows Server 2003
In this article I’ll talk on how to setup a transparent proxy on Windows Server 2003 using Squid NT. Squid NT is a port from Linux base proxy server called Squid. I have successfully installed and configured Squid transparent proxy on Windows Server and here is how I do it.
Installing Squid NT is very easy, first you can download Squid NT here, and then you can follow my old tutorial here: http://markus.revti.com/2007/06/installing-squid-cache-for-windows/
Although installing Squid NT is easy, however configuring transparent proxy on Windows version of Squid is a bit tricky as Squid NT have its limitation. From Squid NT website it’s stated: “Transparent Proxy: missing Windows non commercial interception driver”.
My first thought was there is no way to do port forwarding or port redirecting in Windows Server the same way it is done in Linux server. In Linux based server you can use iptables to do port forwarding with the command like this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
I’ve been looking for a way to do port redirect or port forwarding in Windows Server 2003 this several days and start to become desperate as not much info I can get on this topic. At first I was looking for doing port forwarding or port redirecting in RRAS (Routing and Remote Access Service) but can’t find it. Actually there is port forwarding in RRAS but it’s not what I need to make transparent proxy.
Then I start looking for software that can do port forwarding and found Softperfect Bandwidth Manager can do it. You can download Softperfect Bandwidth Manager here.
Step by step to configure transparent proxy using Softperfect Bandwidth Manager:
Let start by installing the Squid NT, use my old tutorial here http://markus.revti.com/2007/06/installing-squid-cache-for-windows/ to guide you.
Then you'll need to modify the squid.conf to add "transparent" keyword behind http_port options so it will look like this:
http_port 3128 transparentInstall Softperfect Bandwidth Manager
Create a Port Map, here you should define the Squid’s port on your server. Go to “Tools > Port Mapping”
Softperfect Bandwidth Manager's Add Port Map
Click on New button to create a new mapping, fill like the example below
Softperfect Bandwidth Manager Adding New Port Map
After you create a port map, you need to create a new rule to redirect all HTTP request to remote server port 80 to port 3128. Click on “Rules > Add Rule”. On General tab fill the fields with these values:
Direction: Both
Transfer Rate Limit: Unlimited
Protocol: TCP and UDP
Apply Rule on Interface: LAN
Softperfect Bandwidth Manager Rule General Tab
Important! You must select the interface (Network Card) that is connected to your Local Network (the one that connect the server to other client computers, and NOT the one connected to the modem, etc.)
On Source tab set the values to these:
Source Address: Whole IP Address, and insert the IP ranges of your clients PC
Source Port: Any
Softperfect Bandwidth Manager Source Tab
On Destination tab set the values to these:
Destination Address: Any IP Address
Destination Port: Port List and then Add these ports: 80 (HTTP) and 443 (HTTPS)
Softperfect Bandwidth Manager Destination Tab
On Advanced tab look for “Additional Processing”, give check on “Process through the following mapping” and select the port mapping you created before and click OK.
Softperfect Bandwidth Manager Advanced Tab
Done, now all requests to port 80 and 443 will be redirected to Squid NT. To check whether the transparent proxy works or not you can visit http://whatismyipaddress.com/ and it should say “Proxy Server Detected!”
Download Squid NT and Softperfect Bandwidth Manager here
August 11th, 2009 - 00:44
correction:
LAN NIC in the server
************************
IP 172.16.0.250
***********************
Mask 255.255.255.0
Gw 172.16.0.1
201.221.151.31 dns1
201.221.151.32 dns2
August 11th, 2009 - 00:54
i think your setup is wrong:
NIC MODEM: ip 192.168.1.3
Mask 255.255.255.0
Gw 192.168.1.1
201.221.151.31 dns1
201.221.151.32 dns2
it seems that the server is behind a gateway, does your server connected directly to the modem and not behind the router?
also:
LAN NIC in the server
************************
IP 172.16.0.250
***********************
Mask 255.255.255.0
Gw 172.16.0.1
201.221.151.31 dns1
201.221.151.32 dns2
who owns this ip address: 172.16.0.1 ?
August 11th, 2009 - 00:58
btw, before you install squid, make sure your networking correct, means your clients can access the internet via the gateway.
after that you can configure squid proxy to do caching and web filtering
August 11th, 2009 - 02:08
ok if my clients have access to the internet that’s fine but what I know is to follow your manual as a proxy for trasnparente I want to access an external ftp and I can not?
August 11th, 2009 - 02:25
so i don’t really get your question.
the purpose of using web proxy is to have features such as web caching, meaning the static images / flash object are stored locally on your gateway server, hence the next time you open a web page it will load faster as the images / flash objects are downloaded from your local server (LAN access) instead of downloading it from the internet.
second feature is to filter the websites your network user can access or not.
the transparent setting is to make things easier, as you don’t need to setup one-by-one all the pc/laptop that is connected in your network.
so.. to make this works, first you have to have correct networking, which apparently you don’t have it. so first you have to fix the networking.
anyway, why you would like to use proxy server to access ftp? you can do this directly, and having proxy server doesn’t give you benefit if you want to use ftp as proxy server only do proxying for HTTP/S requests
August 11th, 2009 - 02:27
i think it should be like this:
LAN NIC in the server
************************
IP 172.16.0.1
***********************
Mask 255.255.255.0
Gw 172.16.0.1
201.221.151.31 dns1
201.221.151.32 dns2
August 11th, 2009 - 03:47
ok, look markus I think we confused, so my question better: I can go this way an external FTP server? because the question, I have my server windows nt 2003 with squid and it works very well, but now I must permit the release of a client to an external FTP server, a lock if they told me that leaving the squid in transparent mode I could do that , right?
August 11th, 2009 - 03:55
yes, you can access FTP site using your browser the default ACL configuration of squid allow FTP connection, see your squid.conf
you’ll see: acl Safe_ports port 21 # ftp
on line 613
anyway, if you use ftp client, then there should be no problem to connect to ftp server as this type of connection doesn’t go through the proxy server. the transparant settings above only forward port 80 (HTTP) and port 443 (HTTPS)
August 11th, 2009 - 04:10
ok, thanks but not working, the line that says 613, but it does not work, I use mozilla ftp client, and all I can do for now is to connect that user out of the proxy, ie direct modemadsl
August 11th, 2009 - 04:20
have you tried FileZilla? http://filezilla-project.org/
some ftp server require the username to be inserted to the URL such as:
ftp://@ftp.hostname.tld
August 11th, 2009 - 04:31
Yes, I have already tried that, but my users can logon from filezilla, but connected directly to adslmodem
August 11th, 2009 - 05:16
squid doesn’t have anything to do with FTP connection from filezilla, so i guess there is something wrong with your either firewall or SBM settings.
try to turn off/deactivate the settings on SBM while the squid is active and see if your clients can connect to FTP.
August 11th, 2009 - 05:24
I believe that could be nt2003, install squidnt a winsp3 and disable the firewall, I have no dhcp server, so I put the settings manually for each user and it works very well much access to internet, but my filezilla does not work, I’ve read Other post in English and Spanish and I think squidnt can not make ftp work to do as you say in your linux + iptables, you can do the test and go to an external ftp I say
August 11th, 2009 - 05:30
well, i had a windows server 2003 with squid proxy + SBM, all port 80 and port 443 are forwarded to 3128 (squid port), there is no port 21 setting here so FTP should work and it does work on my network.
check your SBM settings, you should only forward port 80 and 443.
a quote from my article above:
Destination Port: Port List and then Add these ports: 80 (HTTP) and 443 (HTTPS)
August 11th, 2009 - 05:41
ok I will check everything again tomorrow and we here are the 05:30 pm and I quit my job thanks for your help so valuable
August 29th, 2009 - 15:02
when i try to access i have this error
ERROR
The requested URL could not be retrieved
While trying to process the request:
GET /firefox?client=firefox-a&rls=org.mozilla:en-US
fficial HTTP/1.1
Host: en-us.start2.mozilla.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: __utma=183859642.608353043.1251101208.1251101208.1251101208.1; __utmz=183859642.1251101208.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2549250D05010352-6000010E60007296[CE]
Cache-Control: max-age=0
The following error was encountered:
* Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:
* Missing or unknown request method
* Missing URL
* Missing HTTP Identifier (HTTP/1.0)
* Request is too large
* Content-Length missing for POST or PUT requests
* Illegal character in hostname; underscores are not allowed
Your cache administrator is webmaster.
Generated Sat, 29 Aug 2009 07:42:49 GMT by localhost (squid/2.7.STABLE5)
when i set my browser proxy in 192.168.2.2:80 every thing work fine.
access.log:
1251531790.651 10 192.168.2.1 TCP_DENIED/400 2472 POST NONE:// – NONE/- text/html
cache.log
2009/08/29 12:11:07| clientTryParseRequest: FD 17 (192.168.2.1:1240) Invalid Request
please help me
August 31st, 2009 - 22:00
Hey, i am running a adsl modem through a router at the moment, so I dont have a server. i have just installed a server 2003 and squid, but i have some progs on the other comps on the network which dont allow me to input a proxy. I want to run a transparent proxy however, do i need to take this computer and put it between the modem and the switchboard? it only has one NIC in it, so I am not sure how to go about this. Or can I just put the comp as another one on the network, and all the computers will go to that for the cacheing automatically?
Thanks in anticipation.
Alistair
September 2nd, 2009 - 15:53
@Alistair
you have to have 2 NICs on the WIndows Server 2003, remove your router, then setup the Windows Server 2003 as the router/gateway for your network, then connect all the clients to your Windows Server 2003.
September 7th, 2009 - 02:35
Mamaj make sure squid.conf look like this
http_port 3128 transparent
September 17th, 2009 - 22:59
does this tutorial works with windows xp?
September 18th, 2009 - 05:04
yes, it should work on XP too