How Proxy Works

I am a newbie in proxy server.
LAN setup - W2k server runs DHCP and around 15 clients.
All machines have access to internet(T1 line - router - firewall-hub). I am planning to install a proxy server on my w2k server and restrict access to internet by username and password.My understanding is although I install a proxy server clients will still be able to access the internet as before. How do I disconnect the internet connection from clients now and How do I force clients to use the proxy server authentication to connect to the internet.?

I am planning to use a 3rd party proxy server. Is there anything which comes with Microsoft or any recommendations.

You need to install proxy server software, but you should only need to configure the clients and I don't think you'll need to configure proxy client software. The easiest way to make the clients to use the proxy is to configure the Internet browser. If you're using AD, you can use Group Policy to do this for you (and prevent users changing settings). In Internet Explorer, you'll find the options under Tools, Internet Options, Connections, LAN Settings, Proxy Server. Enter in the correct details here. As long as you have the details entered in here, Internet Explorer should try to get to the Internet using only the proxy server.

The only thing which comes with Windows is Internet Connection Sharing which is not a proxy server.

Actually the correct (its to easy to get around edwinbrains way, no offense!) way would be to block all outgoing internet traffic at the firewall except that which comes from the proxy server. (this also keeps viruses from sending directly out to internet and eating bandwidth) This way no one can just plug in and get out to the internet only the proxy server can go out and as such they would have to authenticate. a proxy server is actualy a form of firewall that makes request on behalf of its clients and therefore is more secure. depending on how you setup up the proxy server ie.. transparent or regular will determine how you configure IE. also some proxy servers may require a client to be installed for the authentication.

No offence taken

I suppose you are right though - anyone could just plug in a computer and by-pass it. Silly me

Hello Guys
Thanks for the answer.
We have a cisco pix 501 firewall.
How do I block all outgoing traffic through the firewall except that from the proxy server IP.
Should I change something in the interfaces (inside / outside) section in the firewall....
Can you guys help me out.

regards
MP

on the pix enter....

config t
access-list INSIDEACL permit ip 0.0.0.0 255.255.255.255 any eq http

access-list INSIDEACL permit ip 0.0.0.0 255.255.255.255 any eq DNS

to allow proxy to send anything out leave off the eq http

then....

access-group INSIDEACL in interface inside
wr mem

replace 0.0.0.0 with the ip address of your proxy server but leave the mask all 255.255.255.255 this is not your network mask and this is not a router this actualy tells the PIX to match all octets of the IP address. Also when you create an ACL there is an explicit deny any any at the end so you dont need to type it.

you will need to add ACLs for everything that goes out with this config if you dont know what protocols are going out then do this....

config t
access-list INSIDEACL permit ip 0.0.0.0 255.255.255.255 any eq http

access-list INSIDEACL deny ip any any eq http

access-list INSIDEACL permit IP any any

access-group INSIDEACL in interface inside

this will allow everything out except http from everyone except for the proxy. Must be done in that order.