Assumptions and prerequisites
This article describes integration of Squid proxy with Active Directory using Negotiate/Kerberos, Negotiate/NTLM and Basic/LDAP authentication protocols. These three authentication methods are used at most in Active Directory deployments. Please note Negotiate/NTLM authentication on Squid is done WITHOUT Samba and DOES NOT require you to join Squid proxy box to the domain thus greatly simplifying the deployment process.
It is assumed you already have your domain up and running within your network with the following parameters:
- The name of your domain is example.lan.
- Your gateway IP address is 192.168.1.1, netmask 255.255.255.0, its fully qualified domain name is gtw.example.lan.
- Your first (primary) domain controller runs Microsoft Windows Server 2012 R2. Its fully qualified domain name is dc1.example.lan and IP address is 192.168.1.2, netmask 255.255.255.0. This domain controller also has DHCP and DNS server roles installed.
- Your second (backup) domain controller runs Microsoft Windows Server 2012 R2. Its fully qualified domain name is dc2.example.lan and IP address is 192.168.1.3, netmask 255.255.255.0.
- Devices within your network get their IP addresses assigned by DHCP server and DNS settings by DNS server running on your primary domain controller.
It is also assumed you would like to provide Single-Sign-On browsing experience to all members of your domain with possible fallback to explicitly entered username/password for the devices which cannot be joined to the domain (like some Apple devices and non domain joined machines).
You would like to enforce certain web filtering on your users with potentially different levels of web filtering strictness for different groups of users during different times of day.
In order to achieve all these goals we will set up Squid proxy server, integrate it into Active Directory and use Active Directory aware ICAP web filtering server Web Safety.
All examples are given assuming you run Ubuntu 16 LTS based virtual appliance from https://www.diladele.com/virtual_appliance.html. If you have built the proxy box yourself please adjust the examples accordingly.