Smoothwall WebProxy Fail :(

[Eisen]

So I work in an enterprise environment with around 800 users. These users are members of domain.com and they all access the web through the smoothwall webproxy.

The smoothwall pulls its authentication via usual LDAP from the Active Directory domain.com tree and within this tree I have security groups in place that the smoothwall proxy recognises and assigns a level of internet access to each group. So web access is assigned depending on what security group a user is a member off and it all works great.

Great. Smashing. Super.

Until of course you bring another domain into the mix. Now the whole company network architecture is getting an overhall and with this was the removal of NDS. Over the last few week I’ve been rebuilding AD and the best way to do this is to add another child domain and use this as the clean slate. For security reasons this is how it should be anyway. We’ll call this cake.domain.com.

The smoothwall webproxy can only pull information from one LDAP context, in our case domain.com. I can specify a second ADC however this is for redundancy only. Nightmare.

I’ve tried changing the domain.com security group to a universal group and then adding a new global group from cake.domain.com to the primary domain. However as the proxy will pull its user list using a normal ldapsearch it will pull everything back in plain text and will not look to see what members are in the cake.domain.com group.

So what’s the way to get this working? In the short run add each user from cake.domain.com to the webaccess security group in domain.com. Now will that become a pain when I start to migrate users across in batches? Hell yeah.

In the long run, get another webproxy for the second domain. Pain in the arse to do as I can guarantee when I for clearance to get one for one my IT Director will just say ISA repeatedly till I leave the room.

Sigh..