Web Proxy

Service Requirements and Dependencies

Text

Service Overview

../_images/anms_webproxy.png

Kerberos Realm Trust - ANMS.LOCAL

Open Server Manager and select Tools –> Active Directory Domains and Trusts. Once there select the Trusts tab and New Trust to launch the wizard:

../_images/realm_trust_1.png

Type the target domain for this trust, anms.local:

../_images/realm_trust_2.png

Select Realm Trust:

../_images/realm_trust_3.png

This trust will be Nontransitive:

../_images/realm_trust_4.png

Select One-way: Incoming for the direction of this trust:

../_images/realm_trust_5.png

All trusts neeed to be confirmed by a Trust Password. This password will be communicated by ANMS:

../_images/realm_trust_6.png

Verify trust configuration:

../_images/realm_trust_7.png

Confirm realm trust and complete configuration:

../_images/realm_trust_8.png

Once the realm trust has been configured open its properties and enable “AES Encryption”

../_images/realm_trust_9.png

Kerberos Realm Trust - Group Policy

Open Server Manager and select Tools –> Group Policy Management. Edit desired domain policy:

../_images/domain_gpo_1.png

Text

../_images/domain_gpo_2.png

Text

../_images/domain_gpo_3.png

Text

../_images/domain_gpo_4.png

Text

../_images/domain_gpo_5.png

Text

../_images/domain_gpo_6.png

Text

../_images/domain_gpo_7.png

Proxy PAC File

Text

function FindProxyForURL(url, host)
{
var proxy = "PROXY webproxy.mycompany.anms.local:8080; DIRECT";
var direct = "DIRECT";
// No proxy for private IP Addresses:
if (isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0"))
{
return direct;
}
// No proxy for non-routable addresses (RFC 3330):
else if (isInNet(host, "0.0.0.0", "255.0.0.0") ||
isInNet(host, "127.0.0.0", "255.0.0.0") ||
isInNet(host, "169.254.0.0", "255.255.0.0") ||
isInNet(host, "192.0.2.0", "255.255.255.0") ||
isInNet(host, "192.88.99.0", "255.255.255.0") ||
isInNet(host, "198.18.0.0", "255.254.0.0") ||
isInNet(host, "224.0.0.0", "240.0.0.0") ||
isInNet(host, "240.0.0.0", "240.0.0.0"))
{
return direct;
}
// Proxy HTTP, HTTPS only:
else if (url.substring(0, 5) == "http:")
{
return proxy;
}
else if (url.substring(0, 6) == "https:")
{
return proxy;
}
else
{
return direct;
}
}

Firewall Rules

Source Destination Protocol Port Direction
All Proxy Clients ANMS Proxy Pac Server TCP (HTTP) 80 Outbound
All Proxy Clients ANMS Web Proxy Server TCP 8080 Outbound
All Proxy Clients ANMS Kerberos KDC TCP and UDP 88 Outbound
ANMS Kerberos KDC Your Windows DC TCP and UDP 389 Inbound
ANMS Kerberos KDC Your Windows DC TCP 445 Inbound

Centralised Log Management

../_images/webproxy_syslog_view.png ../_images/webproxy_syslog_stream.png

Customer Portal

../_images/webproxy_summary.png ../_images/webproxy_summary2.png ../_images/webproxy_access_logs.png