The document outlines the implementation of a transparent proxy server with an access control list (ACL) for the KMC network to manage internet access and enhance security. It details the operational benefits of using a proxy server, including cached data for efficiency, monitoring user activity, and restricting access to certain sites. The proposal includes necessary modifications to the existing network and implementation strategies to ensure minimal disruption to users.

1. Implementing Transparent PROXY
Server With ACL @KMC Network
Department of ICT
Computer Technology
Takahiro Arai
Department of ICT@Kinondoni Municipal Council 1

2. PROXY Server is a kind of server which realizes a lot of tasks, but basic function
as PROXY server is only to serve service that it accesses Internet sites in stead of
clients. Below is an example of the difference of data flow between access with
PROXY Server and access without PROXY Server.
Access without PROXY Server Access with PROXY Server
Internet Internet
Cloud Cloud
Internet access is Access from each PC is 0nce
all done by each aggregated at PROXY Server,
clients directly then PROXY Server accesses
Internet on behalf of clients
Proxy Server
PC PC PC PC PC PC PC PC
Department of ICT@Kinondoni Municipal Council 2

3. The word “transparent” is something that acts like “glass” which is invisible.
This means users shall not be aware of the presence of PROXY server and also
users do not need to alter the current network configuration on each PC’s
platform. Below is a brief image of the difference between simple PROXY Server
and transparent PROXY Server.
Simple PROXY Server Transparent PROXY Server
Network Configuration Internet Internet Network Configuration
Server:kinondonimc.go.tz Server:kinondonimc.go.tz
Port:8080
Cloud Cloud Port:8080
Authentication Authentication
Username____, Password_____ Username____, Password_____
SSL/TSL enable: No SSL/TSL enable: No
Bypass local address: Yes Bypass local address: Yes
etc… etc…
Simple Proxy Server Transparent Proxy Server
Users know the presence Users do not need to know
of PROXY Server and anything, and do not need to
need to alter network alter network setting as if users
configuration in order to could access Internet directly
use PROXY Server without PROXY server
(however, it actually exists)
PC PC PC PC PC PC PC PC
Department of ICT@Kinondoni Municipal Council 3

4. ACL literally means “Access Control List”. It is simply a list which describes
“Do&Don’t” that can control access flow and Internet connection from each PC.
In addition to “Do&Don’t”, ACL is also possible to alter the flow of Internet
access – alias “redirection” in technical terms. For example, if the network
administrator wants to restrict users accessing certain sites, such as Youtube,
Facebook or Web-sites that have nothing to do with business, he/she can forcely
forbid users to access these web-sites using ACL. The following is a simple image
of how ACL works.
ACL
URL TO BE ACCESSED | ACTION
|
http://www.youtube.com | FORBIDDEN
https://facebook.com | FORBIDDEN
http://www.kinondonimc.go.tz | ALLOW
http://torrent.com | FORBIDDEN
http://google.co.jp | REDIRECT  http://google.co.tz
http://www.hotxxxmovie.com | FORBIDDEN
Department of ICT@Kinondoni Municipal Council 4

5.  Connection between KMC and TTCL is very limited – 2Mbps dedicated line
 Some staffs are downloading huge data such as film data from Youtube or
licensed software that occupy the data line between TTCL mentioned above
 Some staffs are browsing web-sites that are harmful or have nothing to do
with business
 To grasp of Internet accesses on which sites the staffs at KMC are accessing
 To gain more secure access to Internet
Department of ICT@Kinondoni Municipal Council 5

6. As described in the previous page, PROXY Server meets the following demands
 To make good use of Internet resources – PROXY caches the data once it has
accessed and also has function to compress data while data transmission
 Uniform control of Internet access – able to grasp which web-sites users are
accessing (available in form of report that has visibly-understandable graphs)
and to restrict unwanted Internet access, as well
 More secure access to Internet – PROXY hides the clients’ local IP address of
origin.
 And many more!
PROXY Server realizes all these demands exactly!
Department of ICT@Kinondoni Municipal Council 6

7.  Need some modifications on the current CISCO800 Access Router
 Separate the current KMC Network into 2 Segments – DMZ and LAN Segment
 Need at least a single Linux based-OS Server or Personal Computer
 Setup transparent PROXY server on Linux based-OS, so that staffs at KMC do
not need to recognize it and do not need to configure network configuration
 Install PROXY server which is to be setup onto DMZ segment
 Assign a staff as administrator who knows some of basic Linux
operation, knowledge on network and management of PROXY Server
Department of ICT@Kinondoni Municipal Council 7

8. From next page, we are to describe briefly with some illustrations on how to install
PROXY server with ACL onto KMC Network and how to expand existing Network.
Department of ICT@Kinondoni Municipal Council 8

9. The Outline Of Current Network
Internet Cloud
Dedicated Line(TTCL, 2Mbps)
CISCO 1252
192.168.1.254
CISCO 800
192.168.1.1
[ VLAN 1 ]
192.168.1.0/24
Cable& Wireless Connection
Finance Social Welfare Accounting HIV/AIDS GIS
etc…
Department of ICT@Kinondoni Municipal Council 9

10. The Current Internet Access Flow
Internet Cloud
Dedicated Line(TTCL, 2Mbps)
CISCO 1252
Internet access is all made by 192.168.1.254
each client directly in KMC
CISCO 800
192.168.1.1
[ VLAN 1 ]
192.168.1.0/24
Cable& Wireless Connection
Finance Social Welfare Accounting HIV/AIDS GIS
etc…
Department of ICT@Kinondoni Municipal Council 10

11. Implementing Multi Networks With PROXY Server And ACL
Internet Cloud
DMZ Segment
Dedicated Line(TTCL, 2Mbps)
[ VLAN 2 ]
CISCO 1252
192.168.50.0/24
192.168.1.254
192.168.50.1
Proxy Server CISCO 800
(Transparent with ACL) 192.168.1.1
192.168.50.100
Divide current Network
into 2 Networks, [ VLAN 1 ]
192.168.1.0/24
[ DMZ and LAN Network ] LAN Segment
then install Proxy Server
on DMZ Network Cable& Wireless Connection
All of Internet accesses are
controlled by ACL system
Finance Social Welfare Accounting HIV/AIDS GIS
etc…
Department of ICT@Kinondoni Municipal Council 11

12. Internet Access Flow After Implementing New System
Internet Cloud
DMZ Segment
Dedicated Line(TTCL, 2Mbps)
[ VLAN 2 ]
CISCO 1252
192.168.50.0/24
192.168.1.254
192.168.50.1
Proxy Server CISCO 800
(Transparent with ACL) 192.168.1.1
192.168.50.100
[ VLAN 1 ]
Internet access is all done 192.168.1.0/24
through Proxy Server with ACL LAN Segment
located on DMZ Network
Cable& Wireless Connection
Finance Social Welfare Accounting HIV/AIDS GIS
etc…
Department of ICT@Kinondoni Municipal Council 12

13. So… in the end, described up to here as you’ve seen, PROXY server offers a lot of
benefits, particularly in either case that the bandwidth of Internet connection is
extremely limited, or that the network administrator wants to control the
Internet access by users. Costs – both implementing and running – may not be
big issues here, however availability of Internet connection at KMC will be
greatly improved without large costs.
Hence, regardless of small costs that would be newly occurred, implementation
of PROXY server is a highly recommended solution in point of view of many
ways!
THANK YOU FOR YOUR KIND ATTENTION!
ASANTENI SANA KWA KUSOMA!
Department of ICT@Kinondoni Municipal Council
13