Convert from Microsoft TMG to Squidguard

By | 2013/01/07

A little over a year ago, we switched from Websense to Microsoft’s Forefront Threat Management Gateway (TMG) for web filtering. The switch happened when our Websense renewal came up. Since Websense wanted $16,000/year and TMG came free with our Microsoft Enterprise Agreement (EA), it seemed like a logical decision to make. Unfortunately, our EA expires at the end of the year and Microsoft has decided to drop its TMG product.  What to do?

I used Squidguard at my prior company and it was a fairly easy system to manage. However, my old company was a Linux shop and my current environment is heavily Microsoft-leaning. Having just finished a painful Microsoft true-up process, I’d like to avoid adding new Microsoft servers to our environment. But, can a rogue Linux server be implemented in this environment without wreaking havoc on our team? We decided to give it a try.

Here are the step-by-step instructions we followed to get SquidGuard up and running:

  1. Obviously, you need a Linux server. I’ll assume you already have this covered. If you need help, there are plenty of folks on the Internet who have already documented this. Install Squid and Squidguard using whatever your Linux version supports (our Linux version is CentOS and we used yum).
  2. Update your squidguard.conf file properly. This is fairly straight-forward and you can find guidance online — here is a quick list of items you’ll need to change to match your environment:
    • dbhome – this is the path to the squidguard blacklist/whitelist directories. We used /var/lib/squidguard
    • Create your src groups and change IP addresses to reflect your network environment(s). Note: You can string multiple networks into 1 line like this – just separate with whitespace:
    • src lan-clients {
      ip              10.0.16.0/22 10.0.20.0/22 10.0.24.0/22 10.0.28.0/22 10.0.36.0/22 172.20.16.0/21 192.168.200.0/24 192.168.12.0/24

    • Set up your destination statements – these appear as, ‘dest good’, ‘dest porn’ etc. You should have a section for each whitelist/blacklist you wish to establish rules around.
    • Establish your redirect page – this is the web page that is displayed when a user attempts to visit a page that is blocked.
    • Access Control Lists (ACLs) – are the rules that are applied. An example default rule is something like this:
    • pass     good !porn !gamble all                   <– this says to allow sites found in the ‘good’ list, but NOT allow porn and gamble sites

      The ‘all’ in the above statement defaults to allow. If you change this to ‘none’, then all sites not found in good will be denied. Porn and gamble sites are also denied, due to the “!”

    • Make sure your squidguard database home directories and files are owned by your squid user (chown -R squid.squid /path/to/squidguard/blacklists/*)
    • Build the squidguard database with this command: ‘/path/to/squidguard -C all’
      • Note: This may take a while to complete, but you should see output along the way. If this process hangs (sits for over an hour without any progress), check the squidGuard.log file (tail /path/to/squidGuard.log) to see if you have any errors in your config file. If so, cancel out of the db build command with CTL-C, fix the config file, and try again.
    • Change squid to use squidguard: Add this line to your /path/to/squid.conf file:
    • url_rewrite_program /usr/local/bin/squidGuard –c /usr/local/squidGuard/squidGuard.conf (replace /usr/local with your correct path)

    • Restart squid: ‘/etc/rc.d/init.d/squid restart’   OR   ‘service squid restart’
    • Make sure httpd is running (‘service httpd status’) and test your redirect page, or put a redirect page on the  web server you plan to send redirects to.
    • Test through a browser by changing the proxy settings. I use Firefox for this, because it’s the only browser that Windows domain policy doesn’t overwrite in our environment. In Firefox, go into options, advanced, network, settings (configure how Firefox connects to the Internet). Select “manual proxy configuration” and indicate the IP address and port (typically 3128).
    • Look at one of the blacklists your squidguard.conf is checking, select a URL and give it a try. If all is correct, you should be presented with the redirect page. Try an allowed site as well, to make sure you aren’t redirecting everything.

squidguard Redirect Page
Lame squidguard Redirect Page – customization TBC

At this point, you have basic squidguard running, but your blacklists are not updated. You’ll need to implement some sort of subscription service to get regular blacklist updates. Shallalist.de is a FREE service that can be used to update your blacklists. You can download a sample script here: http://www.shallalist.de/helpers.html. There are other blacklists available as well – see: http://www.squidguard.org/blacklists.html for a list.

Here are basic instructions for using the Shallalist blacklists:

After downloading the script, be sure to change it to match your configuration. Test by running it manually from the command line. I found a discrepancy between the blacklist folder name ‘gambling’ that comes with the default squidguard config and the shallalist ‘gamble’ directory. This caused the script to die. To fix the problem, I simply removed ‘gambling’ and created a ‘gamble’ folder. Don’t forget to change all references of ‘gambling’ with ‘gamble’ in the squidguard.conf file AND make sure the directories and files you create are owned by your squid user.

After your script is tested and no bugs exist, you can add it to your crontab to run on a fixed schedule. I set mine to run nightly at midnight, with the following crontab entry:

0 0 * * * /usr/local/bin/shalla_update.sh

Additional refinements:

  • Create a php-based redirect page to include the variables supported by squidguard. These are the variables available to pass to your redirect page:
#        %a=client_address
#        %n=client_name
#        %i=client_user
#        %s=client_group
#        %t=target_group
#        %u=client_url
  • Here is a sample php file that uses 4 of the variables:
<html>
<head>
<meta http-equiv="Expires" content="0"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Website Forbidden</title>
</head>
<body>
<p><br><br><br></p>
<table border=0 width=100% bgcolor=#FF0000 height=1>
<tr><td>&nbsp;</td></tr>
</table>
<p align=center><font size=5>Website has been blocked by our web filter.</font></p>
<table border=0 width=100% bgcolor=#FF0000 height=1>
<tr><td>&nbsp;</td></tr>
</table>
<?php
$name = $_GET[ 'clientname' ];
$ipaddr = $_GET[ 'clientaddr' ];
$user = $_GET[ 'clientuser' ];
$group = $_GET[ 'clientgroup' ];
$category = $_GET[ 'targetgroup' ];
$url = $_GET[ 'url' ];
echo "<p align=center><font size=4>Client IP: $ipaddr<br>";
echo "Group: $group <br>";
echo "Category: $category <br>";
echo "URL: $url </font></p>";
?>
<p align=center><a href="https://TicketingSystem_to_submit_whitelist_requests" style="text-decoration:none; font-stretch:wider">
<font style="font-weight:900; font-size:125%" face="Arial, Helvetica, Geneva, Swiss,
SunSans-Regular, sans-serif" size="4">Please click here to submit a Ticket if you wish this site to be whitelisted.</a>
</p>
<p align=center><font style="font-size=5">If you have a business need that requires access to this site, please click the link above to submit a ticket. IT can whitelist this site based on the information provided. Please include the information listed above.</font></p>
</body>
</html>
  • This shows how you can redirect to this page in your squidguard.conf file:
 redirect http://squidserver/squidguardRedirect.php?&clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&
url=%u

Good luck and post comments if you have any tips to share!

4 thoughts on “Convert from Microsoft TMG to Squidguard

  1. schaeffer

    Are you flowing traffic directly through the squidgaurd box or is it attached to a mirrored switch port? I am thinking there is some type of WCCP option in ASA firewalls as well but not sure if SQ supports that or not… I have been looking at implementing some things like this but the fail closed nature of an inline proxy has been fairly unappealing so far.

    Reply
    1. lhomsher Post author

      Nice to hear from you! We’re sending the traffic directly through the squidguard box. The fail closed can be a disadvantage, but you can create multiple squid proxies with failover to minimize the risk.

      Reply
  2. Los Angeles limosine

    I will immediately grab your rss feed as I can’t to find your email subscription link or newsletter service. Do you have any? Please allow me understand in order that I may just subscribe. Thanks.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.