We have a squid proxy on the cloud with IP Address 50.x.y.z listening on tcp port 3128 and running in transparent mode. This proxy server is running Debian 6.0 and is located at a data center.
In our office we have a Cisco router with Public IP 203.x.y.z/29 and private IP 192.168.1.1/24. The Local LAN network is 192.168.1.0/24. I have allowed the public IP 203.x.y.z/29 in the squid.conf file and hence the LAN users can browse internet using this squid proxy.
I would like to know if it is possible to transparently redirect all web traffic to the squid server running at data center ??
Please note that I am fully aware of the fact that this can been be done using route map or WCCP if I had a proxy server in the LOCAL LAN and also that I can use WPAD for automatic proxy detection but I want transparent redirection.
Best Answer
The only thing I can think of is some form of a tunnel. You simply have to route that port 80 traffic, which will have random global destination IP addresses, to your cloud proxy. This is impossible to do without some sort of support in your routing infrastructure.
You'd probably want an IPsec tunnel between your network and the cloud instance for security anyway. If your current router(s) don't support such features, I would suggest expermienting with Vyatta Core, pointing some test workstations at the Vyatta router as their default gateway. They Vyatta would then be configured to redirect all public-bound TCP-port-80 traffic through an IPsec tunnel (or even GRE or IP-in-IP if you don't care about security) that terminates on the cloud instance.
Note whenever tunnels are involved, you will have MTU issues, so you should make sure you are not blocking ICMP packet too big messages in any firewall (even local to the workstation) and you can potentially rewrite the TCP max segment size in TCP handshake packets seen by the Vyatta.
Honestly, proxy-auto-config is going to be much easier to deal with. You can even enforce proxy configuration for IE and Google Chrome via Group Policy if you have an ACtive Directory Domain, and use proxy autoconfig for visitors/Macs/Linux/Firefox users.