Forcing customers to use web proxy cache
To block direct web access for your network(s) and force people to use proxies, you should add the following access list to your router LAN port (inbound).Here is a sample cisco router configuration:
router#configure terminal router(config)#access-list 100 permit tcp any host 192.189.54.60 eq www router(config)#access-list 100 deny tcp any any eq www router(config)#access-list 100 permit ip any any router(config)#interface Ethernet0 router(config-if)#ip access-group 100 in router(config-if)#end router#copy running-config startup-config
The option in the second line allows your users to use proxy.connect.com.au proxy autoconfig scripts. (NB: Using these scripts will bypass your proxy to use AAPT’s.)
This assumes that access-list 100 was unused. If you have your own proxy and want to bypass the Connect caches (permanently or occasionally) you need an additional rule which allows the cache access to port 80.
For example:
router(config)#access-list 100 permit tcp host xx.xx.xx.xx any eq www
before the deny rule. Otherwise, you should configure your browsers to use proxy.connect.com.au, port 8080. Also, proxy.connect.com.au may be accessed for proxy auto-config.
If you are already using an inbound access-list on the LAN interface,then this has to be merged with your current list of course. The filter can alternatively be applied to the WAN interface (outbound).