Gentoo

I have a very short period of time in which to set up a proxy server for about 800 Windows boxes that "have to" use IE5 or IE6. I decided to try Squid since it seems to be the most popular proxy out there and it supports SSL/https proxying. I tested quiet a few things the past few days and everything looked good. But I run Gentoo Linux as my desktop and Firefox as my browser. Today, I gained access to a Windows box to test with and I found that the proxy didn't work. When I'd point IE to my Squid proxy and then restart it, I couldn't get anywhere when I'd type in any URL (local or on the internet). So I did some Googling and found a tip that I could either set "use http 1.1 when proxying" to on in the Internet Options dialog or I could apply the latest IE patches. I tested by setting the suggested http 1.1 setting and that allowed the proxy to work. The problem I'm facing is that our Windows admin is positive there is no way to set this for all the browsers centrally. So I'm wondering if there are any changes that I can make on the proxy side to make Squid a bit more friendly to IE. Anyone else using Squid in a medium sized (500+ workstations) environment with IE5 or IE6(SP2)/?

...this particular question has proven to be hard to answer. Most of my Googling has resulted in the same basic answer which is to set the IE6 browser to use http 1.1 when proxying. I also posted on a Windows list and the people there (who use Squid) recommended making that same change for Squid either by using a logon script or manually editing the appropriate key in the mandatory profile. So this is going to be a hard one to resolve for our Windows admin. There isn't really anything that can be done on the Squid side of the equation since the problem lies within the IE6 browser's implementation of http 1.0. There is supposedly a hotfix, but it's not recommended by MS and isn't included in the latest updates nor will it be in the future. The Windows admin is certain that even if we applied the hotfix (which reverts to an older DLL) that the DLL would be replaced with a newer one from the DLL Cache or overwritten by newer XP or IE updates that are automatically applied by the SUS server. So, the ONLY answer appears to be to find a way to set all proxied browsers to use http 1.1.

You can do exactly this from within your AD DC. Depending on the policies you currently have, you may have to create a new policy specifically for this. See http://www.mensys.nl/netop/docs/NNF_deployment.pdf for the general directions.

On a different note, I would seriously question anything I was using that only allowed me to use IE (as opposed to any other browser). Chances are, you have no real reason to even have to use Windows in a corporate environment, especially if your applications are already web-based. Since your critical applications are web based (I'm guessing due to your professed "need"), someone messed up one of the main reasons to have web-based applications to begin with. That being the ability to connect using cheaper, non-proprietary, platform independant clients.

On yet another note, if your Windows systems admin doesn't know how to apply group policies to a corporate AD domain, they either need to be replaced or trained or your whole network should be migrated to Linux (mainly for security reasons). IMO Windows doesn't belong on a corporate network to begin with, but if you're not using AD to its full potential someone in charge over there really needs to take another look at the way your infrastructure is operating. I don't mean for this to sound rude, nor am I trying to spout the "joys of open source solutions" to you. Rather, I'm giving you sound advice which may stop a future incident from crippling your infrastructure (and perhaps costing people jobs).