When/why to use a web proxy/gateway?

An outbound proxy server can provide more than one benefit to your network:

  • Content Caching - instead of 25 people hitting your DSL connection with slashdot & fark page reloads the content can be cached on an internal server. This will speed up access to external sites, especially when the images are cached at the proxy.
  • Content Monitoring - you can always go back and look at the logs if you like.
  • Content Filtering - virus scanning, etc.
  • Access Restrictions - generally, surfing porn on the bank teller computers is a no-no.
  • User Identification - perhaps you would like to know who is surfing all day

The answer to the question "when do we need to move to a web proxy" is generally answered by "when you need one of the above functions".

You need Content Caching when you're sending "a lot" of traffic through your internet connection. Perhaps the connection is slow, or perhaps you're getting overage charges that you'd like to avoid.

As for the other functions, you need a proxy when you want to perform that function. There are generally other ways to accomplish those functions as well, yes, but a proxy is usually the "easiest".

Myself, I installed a Web Proxy to provide a local cache. We had a setup with about 40 users.I used a dedicated Linux Server with a Squid proxy on it so I cannot talk of the Barracuda web filter. I setup our gateway to enable transparent proxying so nobody would see the difference. With time, some limited filtering was added (some known bad sites) and I moved our DNS forwarding to OpenDNS to reduce de risk of people ending up on fishing sites. As for you, we never looked at limiting peoples access to the internet.

The benifits I got from adding a local cache were:

  • Reduced the office internet connection bandwith usage (download speed got a little faster in genera).
  • Lowered by almost 40% the total amount of data downloaded over the internet.
  • Content filtering of well known fishing and exploit sites.

My understanding is that with the basic Barracuda Web Filter is really there to prevent poeple from surfing unappropriate content or use IM. The larger versions seems to include caching. From my experience I would not setup a web filter without caching because I would feel I do not get any kind of return on investment by just filtering peoples connections.

I've heard similar a number of times and in my experience it doesn't work. Education of users is the way.

Included in my duties is maintaining an office network of ~50 computers and we don't have a proxy solution in place. What I do though is to immediately firewall someone off if they are causing problems. Then go and talk to them and explain why I have done it.

This might seem a little harsh but it works wonders, they soon realize what they can and can't do and generally users don't do the same thing twice.

Note that I probably have 1 incident a month where I have to firewall someone off and they will generally be allowed back on as soon as I have finished speaking to them.