Ipads and Proxies, Trying to get an Ipad apps to work through a proxy. Options

[Devilsmurf]

Quick rundown of the situation :

I am now involved in administering an Ipad rollout at a local school. There are currently 2 wireless AP's in place, more will be rolled out as I work out optimal points of presence for the new AP's.

So the big issues is that the school sits behind at least one proxy, mainly to provide security and prevent liability when the students browse online. As part of using the internet the students are also educated in the dangers of the internet, but legally you can't let them out without some sort of filtering (unless you are an idiot).

So the issue is that unless the app developer programs in proxy support, an Apple Ipad application assumes direct connection to the internet and will fail at the proxy/firewall. Port forwarding from the proxy is not an option as the network and any devices under 2 years old are supported by the Education department. The principal has asked me to come on board since the Ipads are also not supported by the department.

Access is handled at login on the Windows PC's (all Xp at the moment) to the domain, so student's login with a classroom login and teachers have individual logins. Currently the only way that the Ipads can have internet access is by defining the proxy server in the network settings, and using a login and password in the settings. This is problematic as the Ipads are shared between classrooms and teachers, and it's unreasonable to expect students and teachers to manually change proxy logins each time. Also, if a teacher was the last to use the device and doesn't clear the login it potentially allows students unfettered internet access.

The other issue is that most of the apps want to use their own ports instead of port 80,so they fail at the proxy.

To the heart of the matter : I've got some knowledge of TCP/IP and networks, and I'm hoping a 2nd proxy under the direct supervision of myself and the school maybe able to solve the problem. Specifically, the wireless devices on the network pass through a 2nd proxy, authenicate in a seperate session that passes on details to the 1st proxy. All wireless network traffic comes to the 2nd proxy on their own ports, and passes through to the 1st proxy on port 80 and onto the internet. Coming back, obviously the reverse.

The wired portion of the network would remain unaffected, and would operate as normal.

TL;DR : Can I use a 2nd proxy to avoid having to use proxy settings on a client device ? Can this 2nd proxy force all network traffic to the first proxy on an allowable port ?

Secondary considerations : 2nd proxy will be running linux on a repurposed machine, would squid be suitable for this, or would I need to look elsewhere for the solution ?

[AccessDenied]

Squid will do the work you request.

It has been a while since I've done a setup similar to this, but if you can setup the squid proxy as a transparent proxy you can probably do it.
http://www.cyberciti.biz/tips/linux-setup-...quid-howto.html

I'm not completely over what you want to do. I'm bit too tired today. Will maybe look again tomorrow when more awake.

But have you also considered a dual tier protection in the sense of also using OpenDNS as well as the proxy?

AD

[Devilsmurf]

My progress so far :

I've got ClearOS up and running, imaging I'd need to have a fancy, shmancy proxy going.

As it turns out, a port scan of the proxy internally today found a gazillion and one ports open, more than enough to use iptables to redirect any ports that the Ipad apps use that are not open on the proxy.

My initial fear was that I was going to find 1-3 ports open, and then I'd be killing traditional services in favour of other services. I found a workaround using a program called sshl multiplexer, which allows you to send more than one service through the same port.

My next step is setup network analysis on an Ipad IP address,launch the apps and check the ports to tries to use. Redirect those ports using iptables to open ones on the proxy and I should be golden.

No way would I find it so easy on a corporate network, properly proxied and firewalled. My only concern now is going to be if there is another proxy further down stream that is further locked down, I'll wait till I'm there next to check.

[Devilsmurf]

After a mostly fruitless day a lesson is learned.

When your server needs to connect to the internet to get dependencies/packages so you can join your Linux box to the domain, but your Linux box needs to join the domain to connect to the internet, then make sure you have a backup plan. Make sure your backup plan doesn't involve a 3G modem that also needs packages/dependencies downloaded....from the internet.

[Jeruselem]

3G modems are horrible things indeed.

[Devilsmurf]

Yeah it's a shit situation when it's the only way you can get internet in your unabomber shed.