I am looking at setting up some kind of visitor wireless access for our company however our internet connections all run through a external proxy.
After many wasted hours explaining to visitors how to enter the proxy settings before they can connect to the web I feel it is time to look at a solution which is a bit more simple from the end user point of view.
My initial idea was that I could just buy a WAP which allows me to select the proxy server but in reality this seems to be quite a rare or expensive option (I have had previous experience using a ZyAIR G-4100 for something similar but this was quite unreliable)
From a bit of research the most popular answer seems to be to setting up a transparent proxy using a Ubuntu box running Squid between the modem and the switch.
Does this sound like the most sensible idea or am I overcomplicating things?
Edit Forgot to mention that my other problem is that i am locked out of the router too so am unable to play about with creating separate subnets that bypass the proxy.
I'm entirely sure I understand your layout, but if you just want to give your visitors Internet access (and don't care if they use a proxy at all), why not just add another leg to your edge firewall/router (assuming it can do that) and bridge the wi-fi router onto that leg and route/filter accordingly?
You might take a look at SmoothWall, Endian and other similar "threat management" systems which are basically full fledged nix'based firewalls with integrated transparent proxies (mainly web & email).
If you don't care if visitors go through the proxy, all you have to do is add an exception to the rule that blocks port 80 traffic. Create a VLAN for the guest network, and allow traffic from that IP range to use port 80 on the inside interface of your firewall. (or outside if you blocked it there)
I have had lots of luck using CNTLM to handle the typical misery associated with corporate proxies.
If you are able to create some kind of
guest-service
credentials that can authenticate with the proxy, you can put the CNTLM service on the network and point the guests to that proxy, and it will authenticate and forward their requests to the main proxy server.Not sure what kind of proxy server auth scheme you are dealing with though.
If you care about the integrity of your network, don't let guests connect to it. Provision an alternate, firewalled network as described by @gravyface
No, that's not going to solve your problem. If you set this up as a transparent proxy then nobody will be able to connect to any site using SSL without clicking through a bad ssl warning created by the cert on your proxy. And using MITM / asking them to install your CA cert on their computer is not a solution.
Then you are not in control in of your network and either you shouldn't be trying to deploy systems in this way or you should be changing your provider.