Simulate company proxy for users that take laptops home

My company uses an HTTP Proxy, so I had to configure several config-files of my tools to access the internet via the the Proxy.

When users are at home, they won't be able to use that proxy (except when they use the VPN connection). Is it possible to simulate that proxy (same address, same port) but using the direct home connection of users?

Are there any better ways to handle this kind of proxy / mobile user situation?


Solution 1:

I'm guessing that you're carrying a laptop home from work (and carrying home this proxy configuration with you).

If you control your own router and DNS server at home you can pull this off pretty easily. If not, then you might be better off just unconfiguring the proxy when you're home.

  • You'll need a proxy to use. If you've got a spare box to put Linux on at home, you can spin up something like IPCop Linux or any number of other small Linux distros that come with the Squid Cache proxy. Be sure that you've got Squid enabled and working before you proceed.

  • If you refer to the proxy by DNS name (i.e. "proxy.company.com") then you'll need to get that name to resolve on your home LAN. The easiest way to do that is to setup a DNS server on your home LAN and create a zone for "proxy.company.com" with an A record referring to the name "@" and the IP address of your proxy machine.

  • If you refer to the proxy by IP address you're going to have to do some network address translation games. At this point, you're probably best off using a Linux-based machine as your router / gateway to the Internet. You can do a NAT rule in the iptables firewall to translate requests to an example company proxy server at 123.4.5.6, port 8080 to the local Squid cache, port 3128, like so:

    iptables -t nat -A PREROUTING -d 123.4.5.6 --dport 8080 -j REDIRECT --to-ports 3128

This is going to be a learning experience for you if you're not familiar with how DNS, proxies, etc work.

Solution 2:

Don't do this - just use WPAD like (almost) everyone else!

WPAD allows clients to auto-detect the proxy settings for their current network.

In the case of IE, it means you leave "Automatically detect settings" ticked for LAN connection properties.

After this:

  • any network that supports WPAD will allow clients to discover and use the proxy
  • any network that supports the use of the Default Gateway transparently will just work
  • any network that supports neither will be a pain in the butt, but then they already are, and it's these networks that require constant reconfiguration of proxy settings by client computers
    • Don't be one of these networks

WPAD is implemented through DHCP option 252, and/or a DNS entry that points the hostname WPAD.yourdomain.com at a web server or proxy that hosts a file /wpad.dat .

Solution 3:

It seems like you should be able to setup a Linux box with a proxy between you and the Internet. Then add some iptables rules to redirect any requests to the IP address of your company proxy to the proxy running on the local system.