Deployment & Network Diagram
The following diagram illustrates a typical network deployment for the CensorNet Professional proxy.
There are a number of ways the proxy server can be deployed to devices on the network:
- The proxy server address is configured in the web browser proxy settings explicitly, either manually or via Group Policy. This is best practice for domain based devices.
- The proxy server address is configured in the web browser via Web Proxy Auto-Detection (WPAD) over DHCP or DNS. This is best practice for devices which roam in and out of the network and you do not want the proxy settings to stay present when off-site. It is also useful if you wish to chain multiple proxy servers for simple fail over.
- The proxy server address is configured (usually via DHCP) as the default gateway for the device joining the network, which forces transparent proxying. This is best practice for BYOD. Authentication can be achieved via the Captive Portal.
- A combination of all the above is also possible, the methods aren’t mutually exclusive.
Out of the box, the proxy server is configured with a default policy and lightweight SSL filtering therefore it is possible to “install and go” however most customers will want to fine tune the policies and filter rules. The proxy server will listen on all available network interfaces and therefore if you want to use one proxy server for multiple subnets or VLAN’s you can simply add additional virtual or physical NIC’s to the server. These will appear in the Network settings page.
Best practice tips
- Wherever possible configure the browser proxy settings. This tells the browser it is using a proxy and therefore it will guarantee the best compatibility with web servers and web applications.
- Use your firewall to prevent proxy bypass by ensuring direct access to the Web (port 80 and 443) is only available from the proxy server.
- For BYOD devices, always set their default gateway to be the proxy IP address. This is much easier than configuring proxy server settings on the device.