Clients behind a corporate firewall and Squid as HTTP proxy

Hi!

 

I have a scenario where Windows workstations (FS Client Security 12 Premium) are in a network where everything is blocked in a corporate firewall. Not even DNS is allowed. Only port 3210 is open to a single proxy server on a separate DMZ network. That proxy server is allowed to connect to F-S Policy Manager 12 via Internet. Also https method CONNECT for port 443 is allowed on Squid conf.

 

The client workstations should not have any network connections anywhere unless necessary.

 

The proxy server's IP is configured manually in each F-Secure Client Security's Proxy configuration.

 

The problem is that even though the clients get all the virus database updates via proxy server, the clients don't show up in Policy Manager Console. This might be related to the fact that communication to PM Server 12 uses now https (port 443).

 

What ports are necessary to open for communication between clients and Policy Manager Server? Should this even work

 

Squid 3.3.8 on Centos 7.1 (listening port 3210)

F-S Policy Manager 12.10.76372

Best Answer

  • VadVad Posts: 1,051 F-Secure Employee
    Accepted Answer

    Hello Johny543,

     

    If you have PM 12.10 and CS 12.10, they can only communicate using https protocol (default port is 443).

    So, the only way to get the clients visible in PMC, is to provide a possibility of such communication.

     

    Best regards,

    Vad

Comments

  • Thanks for fast reply!

     

    Should it be enough to allow https from CS to PM (port 443) or needs the firewall to be open both ways?

     

    Does anyone know how to accomplish this via Squid ? All traffic should go through the proxy.

     

    It's easy to configure the F-S client to use HTTP proxy but I have no idea how to tell the client to use a proxy also for the PM connection.

  • VadVad Posts: 1,051 F-Secure Employee

    > Should it be enough to allow https from CS to PM (port 443) or needs the firewall to be open both ways?

     

    Both ways.

     

    Best regards,

    Vad

This discussion has been closed.