Review PaperCut on G2

Choose your language

Choose your login

Contact us

[Legacy] Installing and configuring SquidNT



PaperCut Internet Charging and Quotas requires a proxy server to manage Internet connectivity and log internet usage by your users. Squid is one of the best known proxy servers, and typically is run on a Linux/Unix machine, however in some environments a proxy needs to be run on a Windows machine. Fortunately Squid is available for Windows, and is available for download as the SquidNT package.

(To setup Squid on a Linux/Unix machine and get configure it to authenticate with Windows, see our article [Legacy] Configuring Squid on Linux to authenticate with Active Directory.)

Installing SquidNT

Download the latest version of SquidNT from here.

This guide has been written for 2.5.STABLE14-NT (download). The guide has also been updated to work with Squid 2.6.

Unzip the Squid zip file (e.g. file to a temporary directory. This will create a folder called squid-2.5.STABLE14-NT-bin\squid. Move the squid subdirectory to a location where you want Squid to be installed. E.g. c:\squid. (NOTE: You cannot install Squid in a directory containing spaces, like C:\Program Files.)

Open a command line window (cmd.exe), and change to the directory you installed Squid to. E.g. cd \squid

Install the Squid service by running the following:

   C:\squid>sbin\squid.exe –i

Setup the default config files by copying the template configuration files in C:\squid. Copy the following three files to C:\squid\etc.

   squid.conf.default      to C:\squid\etc\squid.conf
   mime.conf.default       to C:\squid\etc\mime.conf
   cachemgr.conf.default   to C:\squid\etc\cachemgr.conf

Then create the Squid cache directories by running the following:

   C:\squid>sbin\squid -z

Squid is now ready to start. Start the Squid NT service from the Services Control Panel applet. (Control Panel→Administrative Tools→Services). If Squid starts correctly you will not receive an error, and the cache log file will not contain any errors (C:\squid\var\logs\cache.log).

Configuring user authentication

In this configuration Squid is locked down to not allow any access, so the config file needs to be modified to allow connections to users on the network. Shutdown the Squid service.

Open the Squid config file (C:\squid\etc\squid.conf).

To enable authentication against your Windows domain or Active Directory, add the following to your config file around line 1290. This tells Squid to use NTLM authentication (i.e. automatically login users without prompting for a password).

For Squid 2.5:

   auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
   auth_param ntlm children 5
   auth_param ntlm max_challenge_reuses 0
   auth_param ntlm max_challenge_lifetime 2 minutes
   auth_param ntlm use_ntlm_negotiate on

For Squid 2.6:

   auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
   auth_param ntlm children 5

Then define an ACL (access control list) entry that allows users on your network to use the proxy if authenticated. Go to approximately line 1830 of the file, and add the lines:

   acl localnet proxy_auth REQUIRED src
   http_access allow localnet

(But change the IP address mask as appropriate for your network. You can specify multiple network masks by separating them with spaces).

Now restart Squid and ensure that it starts correctly. Configure a browser to use the Squid proxy (port 3128 by default), and try to access an external web site. You should be able to visit the site successfully. To check that the authentication is working correctly open the C:\squid\var\logs\access.log file, and you should see log entries for the web site you visited, and importantly your username in the log file. Below are sample logs from visiting Note the username vm-domain\administrator, where vm-domain is the name of the domain, and administrator is the name of the user.

   1118015367.061    703 TCP_MISS/302 405 GET vm-domain\administrator DIRECT/ text/html
   1118015367.749    688 TCP_MISS/302 411 GET vm-domain\administrator DIRECT/ text/html

Allowing access only to members of a Windows Group

The next step is to only allow users access if they belong to a Windows security group. This can be used to enforce Internet access policy on your domain, and allow PaperCut to restrict access to users who have used their entire available quota. First we need to add the external ACL types to check for Windows group membership. Go to about line 1396 and add the following:

For Squid 2.5:

   external_acl_type win_domain_group ttl=120 %LOGIN c:/squid/libexec/win32_check_group.exe -G
   external_acl_type win_local_group ttl=120 %LOGIN c:/squid/libexec/win32_check_group.exe

For Squid 2.6:

   external_acl_type win_domain_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G
   external_acl_type win_local_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_lm_group.exe

(The first entry is used to check domain group membership, the second is for local groups. You only have to add the lines you are going to use. Users of PaperCut typically use domain groups, so only the first line would be necessary).

Now we need to define the ACL to only allow access to members of a particular group ( e.g. a domain group called InternetUsers). Go to the line config file where the acl localnet entry was defined (approx line 1850), and replace the previsous ACL definitions with:

   acl localnet proxy_auth REQUIRED src
   acl InetAllow external win_domain_group InternetUsers
   http_access allow InetAllow

Ensure that you use the IP mask appropriate for your network. In the above example InternetUsers is a domain group. Change the group name as appropriate for your network. If your group is a local group, the use the win_local_group external ACL type instead.

(Make sure you remove the http_access allow localnet line that was defined earlier, otherwise all users on the network will have access, even if they do not belong to the group.)

Restart Squid, and now only members of the InternetUsers group will have access to the Internet via the proxy.

NOTE: If you have the need to deny Internet access for members of another Windows security group, you can set up a InternetDenyGroup the same way as above and then define an InetDeny ACL. You can then specify a http_access deny rule as follows:

   http_access deny InetDeny

Verifying the configuration

Restart Squid (if you have not done so already).

As a user that belongs to the InternetUsers group:

  • Make sure the browser is setup to user the proxy (port 3128 by default)
  • Browse the Internet for a few minutes (you should be allowed to view all pages).
  • Check the C:\squid\var\logs\access.log, and make sure your username is being logged.

As a user that does not belong to the InternetUsers group:

  • Make sure the browser is setup to user the proxy (port 3128 by default)
  • Try to browse the Internet (you should be denied access by the Squid proxy).
  • Check the C:\squid\var\logs\access.log, and make sure you see TCP_DENIED entries that contain the correct username.

If this all works, then you’re ready to use PaperCut with SquidNT…

  • In Options→Net Charging Options, point PaperCut to the C:\squid\var\logs log directory.
  • Set the log file mask to access.log
  • And then press the “Test and Apply Settings” button. You should see some summarized net access usage.

Log Rotation

Squid NT does not rotate its log files, so on large sites these files will grow very large. We recommend implementing a simple rotation policy which improves the performance of your system and allows easy archiving of old logs.

We have written a simple batch file that performs a log rotation by stopping squid, renaming access.log to access-YYYY-MM-DD.log, and then restarting Squid. Use the Windows Task Scheduler to schedule the following batch file to be run regularly (e.g. daily or weekly). NOTE: Make sure you setup the scheduled task to run as a user with permissions to stop/start the Squid service.

Squid 2.6 changed the name of the Squid service, so make sure you download the correct version of the script.

Download squid-2.5-log-rotate.bat

Download squid-2.6-log-rotate.bat


If Squid fails to start then it is best to check the following two log files. They will usually give you a hint about the cause of the problem (e.g. a syntax problem in the squid.conf file).


If you’re looking for information about our print management application, please go here.

Categories: How-to Articles , Legacy Articles

Keywords: NTSquid SquidNT setup windows proxy authentication windows xp 2000 2003


Last updated July 5, 2023