Identifying global proxy clients and devices
Prerequisites
- Create a web proxy authentication policy for the Global Proxy using NTLM, see our help topic, Creating authentication policies.
- Set the Global Proxy devices' internal proxy settings to point to the externally resolvable host name of the Smoothwall that resolves to the external IP address of the Smoothwall, and the port number used for the Global Proxy using NTLM authentication policy. For example: https://mysmoothwall.com/800. This must be on HTTPS and not HTTP.
- Add the external address of the Smoothwall to the devices' internal proxy exception lists. This ensures that the certificate validation requests aren't proxied.
Procedure
- On the WEB PROXY menu, under the Global Proxy submenu, click Settings.
- Under the Device identification section, from the Device Identification option:
- To use a global proxy certificate:
- Select "Client supplied certificate". This is the most secure client device identification method. Any client attempting to use the Global proxy service must have the client-side SSL certificate installed and present. Download and distribute this client-side SSL certificate to all devices configured to use Global proxy.
If a password is needed, enter it into the Certificate password box.
- Click Download certificate.
- Copy this certificate into the relevant devices' internal storage and import it into the browsers.
- To use a secure URL - if you're using Chromebooks use this method:
- Select "Secure URL". Add an additional query string (text) to the Global proxy URL. Useful as a compromise between ease of configuration and security.
- In the Query string box that appears, enter the string that you want.
- To make sure that device identification is done immediately after opening the browser, set the Global Proxy devices' browser homepage to: https://<Smoothwall_external_address>:62444/?<Query_string>, where: Smoothwall_external_address is externally resolvable hostname of the Smoothwall and Query_string is the secure URL string configured. For example, https://192.168.0.1:62444/?Hhfbn97Zy.
- To use no identification:
- Select "No identification (Open proxy)". Where client device authorization is not needed, access to the Smoothwall Filter is subject to supplied user credentials, and traffic filtered accordingly. Devices not supplying user credentials are typically assigned to the "Unauthorized IPs" group and filtered as that group.
- Click Save changes.