Say you're in a Windows environment and your users already authenticate to the DC, what are the benefits to authenticating to a proxy like Squid?

I've heard that malware that needs to go through the proxy would fail because it wouldn't know that password. How exactly does that work? Do you have to authenticate every time you use your web browser?

The are many reasons that you could/would want to use proxy authentication.

1. Make sure that all users are tracked. If the _have_ to authenticate to the proxy then they will surely be accounted for and logged.

2. Stop random users from just connecting to the network and using it as a open proxy.

3. create different access policies based on windows user groups.


There are a few different ways to setup proxy authentication. The best way for windows would prob. be transparent user auth.

When you set the proxy in IE or FireFox and go to a web site it will pass that information to the proxy. The proxy is configured for auth. so it will then send a request to the PC and ask for its domain user credentials. Once it does that it will then go and proxy the site for you.

Malware is a whole different issue. Malware will Phone-Home on random ports not 80 or 443.

If this is for a house thats fine but if it is for a company and you want more information on commerical proxies let me know and i can provide lots of information. I just finished R&D on the top 8 rated commerical web proxies.

Thanks slimm609. I don't have any plans on implementing authentication on a proxy, just curious as to the benefits of it, which you did a good job answering. :-)

There are a lot of benefits for logging purposes and things like setting delayed pools to allow specified users more or less bandwidth with delay pools etc.

remember a couple things

authenticating users will normally add latency so check how your proxy performs with a control group before you fully implement it.

most windows spyware is going to use your IE configurations and IE engine meaning it will most likely authenticate anyway.

with transparent proxy authentication spyware will try and use the proxy but 99% of the time it will fail because the when you connnect to a proxy with transparent auth. the proxy sends a reply to the host asking for credentials. I have yet to see spyware that knows how to handle the authentication request. even more so if the credentials are from a domain. I dont doubt that there will be some but right now i am yet to see any spayware that does.