I have a network with one Domain Controller (Windows 2000 Server) and a redhat linux firewall between me and the internet. What are my alternatives on logging outgoing webaddresses? (ie. that my users entered)?

marc

I am assuming your clients are Windows boxes. If that's not the case, then some of these advantages won't exist. But:

1) You could buy another 2K server and install something like ISA on it in proxy mode. If you do that, then the people that use IE will be able to use their domain logon credentials when authenticating with the proxy, and you can then log who goes where.

This'll cost a crapload of money, though, and I'm not at all sure I'd trust 2K on a publicly-visible server. ;)

2) Install a logging proxy server on your Red Hat firewall. You won't get the username that requested certain pages, but you'll get the client IP address and the page, which may be enough information. If you don't want to hand down a policy setting from the DC to enforce the proxy itself, you could set it up as a transparent proxy. A non-transparent proxy might even have an option to authenticate the users; a transparent proxy definitely wouldn't.

3) Use an iptables rule and a payload match extension to log all HTTP packets with GET and/or Host: in their payload, and then use some kind of log analyzer to pick out where the clients are going from those logs.

The easiest is probably 2, in the transparent proxy mode (Googling for "transparent proxy" ought to come up with a few HOWTOs -- it'll involve a couple iptables rules and DNAT, IIRC). The next would be 2, in non-transparent mode (with the DC handing out policy settings for all your IE clients to enforce proxy usage). After that, probably 3 and then 1.

With any kind of proxy, you wouldn't have to NAT packets from the clients anymore with the iptables stuff. Instead the proxy would more or less handle that for you.

Ok, thanks
I'll play around

marc