Skip to content

Assumptions and prerequisites

Note

This article describes integration of Squid proxy with Active Directory using Negotiate/Kerberos, Negotiate/NTLM and Basic/LDAP authentication protocols. These three authentication methods are used at most in Active Directory deployments. Please note Negotiate/NTLM authentication on Squid is done WITHOUT Samba and DOES NOT require you to join Squid proxy box to the domain thus greatly simplifying the deployment process.

In the next steps we will assume you already have your domain up and running within your network with the following parameters.

  1. The name of your domain is example.lan.
  2. Your gateway IP address is 192.168.1.1, netmask 255.255.255.0, its fully qualified domain name is gtw.example.lan.
  3. Your first (primary) domain controller runs Microsoft Windows Server 2019. Its fully qualified domain name is dc1.example.lan and IP address is 192.168.1.2, netmask 255.255.255.0. This domain controller also has DHCP and DNS server roles installed.
  4. Your second (backup) domain controller runs Microsoft Windows Server 2019. Its fully qualified domain name is dc2.example.lan and IP address is 192.168.1.3, netmask 255.255.255.0.
  5. Devices within your network get their IP addresses assigned by DHCP server on your router/firewall/gateway and DNS settings by DNS server running on your primary domain controller.

It is also assumed you would like to provide Single-Sign-On browsing experience to all members of your domain with possible fallback to explicitly entered username/password for the devices which cannot be joined to the domain (like some Apple devices and non domain joined machines).

You would like to enforce certain web filtering on your users with potentially different levels of web filtering strictness for different groups of users during different times of day.

All examples are given assuming you run Ubuntu 22.04 LTS based Web Safety virtual appliance. If you have built the proxy box yourself please adjust the examples accordingly.