The web proxy is turned on by default to direct traffic to the Smoothwall Filter for content filtering. Traffic is automatically routed through the first internal interface. The Smoothwall Filter comes with a comprehensive set of web filter policies by default and an authentication policy that you can use immediately to protect your users and your organization.
This is where you can configure and manage web proxy settings, create and make available proxy auto-config (PAC) scripts, manage how much bandwidth is made available to clients and configure the Smoothwall to connect to a Web Cache Coordination Protocol (WCCP) cache engine cluster.
Prerequisite
- On your users’ devices, configure the web browser to use port 800 on the Smoothwall Filter as the web proxy, that is, a nontransparent proxy.
Procedure
- On the WEB PROXY menu, under the Web proxy submenu, click Settings.
- To deploy the web proxy, under the Global option section, for Guardian, select "Enable".
- To configure the web proxy, under the Available proxy settings section, click Advanced ».
- Under the Web filter options section:
- For the File upload policy, select if you want to "Allow unlimited uploads", "Block all uploads" or "Restrict upload size to" a certain number of Kbytes.
- Enable each of the options if you want.
HTTP strict mode This option determines the web proxy's behavior when processing HTTP/1xx response codes; specifically, response code 100 Continue. When HTTP strict mode is turned on, the web proxy does not forward responses with an Expect: 100 Continue header to the client. Although this is a HTTP protocol violation, some client applications have been found to not function correctly when such responses are forwarded. The default behavior is where HTTP strict mode is turned off. Therefore, the web proxy always forwards responses with Expect: 100 Continue headers to the clients. Block advanced proxy bypass attempts Proxy avoidance services, such as UltraSurf, might be used to bypass the Smoothwall Filter. With this turned on (default behavior), such services are blocked when the initial connection is detected, and a 15-minute partial ban enforced for the user who made the attempt.
Whilst the bypass client is open and attempting to reconnect, all traffic is blocked. If the client is closed, most traffic is allowed during the ban, but any domains that don't use Server Name Indication (SNI) to identify themselves remain blocked. This might result in some legitimate sites being blocked for the remainder of the ban, as without SNI, proxy bypass services are indistinguishable from legitimate traffic.
You can create a custom report to view the connection attempts. Make sure that the UltraSurf IPs reporting section is included.
Resume interrupted NTLM connections The Smoothwall Filter resumes interrupted NTLM connections caused by non-standard web browser behavior by default. If restrictive Active Directory account lockout policies are in place, turn off this parameter. Resolve single component hostnames The Smoothwall Filter makes no attempt to interpret single component host names not fully qualified by default. Turn off this parameter to stop from trying to interpret single component host names not fully qualified. Server persistent connections Indicates that the Smoothwall Filter allows server persistent connections by default. Turn off this option if you're experiencing 502 Bad gateway errors when accessing some websites. Via headers These are used to trace by default, for both the request and response, the proxies a connection has been made through. The Smoothwall Filter adds its own entry into the Via header, and the header added by Squid. Some websites might attempt block users browsing through a proxy. Turn off this option to prevent the addition of headers by both the Smoothwall Filter and Squid. Honor incoming X-Forwarded-For Indicates that the Smoothwall Filter can take the client IP address from the X-Forwarded-For header, inserted by downstream proxy or load balancer. Using the IP address contained within the header clients can then be identified within the Smoothwall.
Note: Do not turn on the Honor incoming X-Forwarded-For option if you've turned on Leak client IP with X-Forwarded-For headers with an upstream proxy, or with client IP address spoofing.
- The Smoothwall Filter only allows requests to servers running on a certain subset of privileged ports by default, that is, ports lower than 1024, such as HTTP (80), HTTPS (443) and FTP (21). If you want access to servers running on non-standard ports, enter them into Allow access to web servers on these additional ports and to add them to the list on your keyboard press Return.
- Under the Logging options section:
- Select if you want to Enable Proxy logging. We recommend that you turn off this option when Filter logging mode is turned on. This is because the Smoothwall Filter proxy logs are duplicated subsets of the Smoothwall Filter logs. Turning off proxy logging can lead to improved performance by reducing system storage and processing demands.
- Enter an Organization name and from the Filtering logging mode list, select a mode.
- Normal: Select this option to generate proxy logs with all recorded data.
- Anonymized: Select this option to generate filter logs with anonymous username and IP address information.
- Disabled: Select this option to turn off content filter logging. Select to turn off the logging of the types of browsers used by users.
- Select if you want to log Client hostnames of devices using the Smoothwall Filter, Client user-agents, Advert blocks and Local accesses made through the web proxy to either localhost, or IP addresses 127.0.0.*.
- Under the Cache options section:
- Enter the Global cache size for disk space that you want to allocate for caching web content.
- Web and FTP requests are cached. HTTPS requests and pages including username and password information aren't cached.
- The cache size should be configured to an approximate size of around 40% of the system’s total storage capacity, up to a maximum of around 1.5 gigabytes.
- Enter the Max and min object size that can be stored in the cache.
- Enter the Max object size that can pass in and out of the proxy.
- In the Do not cache these domains, enter the domains that should be excluded from the web cache.
- Enter the Global cache size for disk space that you want to allocate for caching web content.
- Under the Internet Cache Protocol (ICP) section:
- If you want to allow ICP compatible proxies to query the Smoothwall Filter cache, for the ICP server select the Enable option.
- Enter the ICP server IP addresses of other ICP-enabled proxies on the LAN that the Smoothwall Filter should query, and press Enter on your keyboard to add it to the list.
- If you want to allow ICP compatible proxies to query the Smoothwall Filter cache, for the ICP server select the Enable option.
- Under the Load balancing section:
- If your Smoothwall solution makes use of a load balancer, enter the virtual IP address to add it to the list and on your keyboard press Return.
- Under the Web filter options section:
- To save your changes, click Save.
- To restart the web proxy, click Save and restart or Save and restart with cleared cache.
Tip: Always perform a proxy service restart to make sure that changes are reflected correctly in the proxy server configuration.
Follow-up Task
- Test that on a user’s device, when you go to http://thepiratebay.se/, that the Smoothwall blocks access to the site and displays a block page.
You can edit the default policies and create new policies to suit your organization.