Create Web Proxy authentication policies

This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.

 

You can create non-transparent and transparent authentication policies to identify end users.

  • Non-transparent proxies require clients to have proxy settings explicitly set so the proxy can ask the client for authentication for every request.
  • Transparent proxies don’t require these settings.

When setting up either type, you can choose to use Spoofing. Spoofing sets the source IP address to the client making the web request, rather than to your Smoothwall, for traffic upstream of your firewall. You can use this for traffic shaping or other upstream activity to identify the hosts behind the Smoothwall.

Important

You must have multiple interfaces to use Spoofing.

 

A Non-transparent policy

Before you begin

Configure users’ web browsers to use Smoothwall as the Web Proxy using one of these methods:

  • Configure browsers manually: Configure your browser to open port 800 for Smoothwall. You can do this individually or in bulk using an MDM such as Microsoft Group Policy.
  • Use a Proxy Auto-Config (PAC): Get your PAC script address and add it to your browser's LAN settings.
  • Use a Web Proxy Autodiscovery Protocol (WPAD): Get your WPAD script, ensure the host resolves to your Smoothwall’s IP address, and configure users’ browsers to detect LAN settings automatically.

For support, please refer to the documentation provided by your browser or MDM.

Add a Non-transparent policy

  1. Go to Web Proxy > Authentication > Policy wizard.
  2. In Step 1: What:
    • For Type, select Non-transparent.
    • For Method, select one of the Authentication Methods.
    • For Interface, select the interface to apply the authentication policy.
    • For Port, select the relevant port number for your Smoothwall to monitor for proxy requests.
    • (Optional) If you have more than one Interface, you can select the Spoofing checkbox.
  3. In Step 2: Where, select where the policy should apply:
  4. In Step 3: Options for unauthenticated requests, select who the policy applies to:
    • Nothing to assign requests without authentication to the Unauthenticated IPs group.
    • Everyone to apply to all users.
    • One or more User Groups.
  5. Ensure the Enable Policy checkbox is selected.
  6. Select Confirm.
  7. Review your selections and select Save.

A Transparent policy

Before you begin

If you use one of the Kerberos or SSL Login page Authentication Methods, your network’s DNS configuration must allow devices to resolve the short form of the Smoothwall Filter hostname.

Add a Transparent policy

  1. Go to Web Proxy > Authentication > Policy wizard.
  2. In Step 1: What:
    • For Type, select Transparent.
    • For Method, select one of the Authentication Methods.
    • For Interface, select the interface to apply the authentication policy to.
    • The Port is set to 80 for Transparent policies.
    • Ensure the Filter HTTPS traffic checkbox is selected for filtering to be applied. If you only have one Interface, this checkbox is selected by default.
    • For Behavior, select how the Smoothwall Filter handles HTTPS requests without a Server Name Indication (SNI).

      Note

      SNI provides the domain name for transparent HTTPS requests. Without this, only the IP address is known, making it difficult to distinguish genuine requests.

      • Block HTTPS traffic with no SNI header
      • Allow Transparent HTTPS incompatible sites: If the originating IP address is in the Transparent HTTPS incompatible sites category, HTTPS traffic is allowed through without further filtering. All other HTTPS traffic without SNI is blocked.
      • Filter using name from certificate: All HTTPS traffic not containing SNI is filtered based on the domain name taken from the destination server's certificate.
      • Allow Transparent HTTPS incompatible sites and filter others by using the name from the certificate: This option applies to most scenarios, as it combines the two options above.
        • If the originating IP address is listed in the Transparent HTTPS incompatible sites category, then HTTPS traffic is allowed through without further filtering.
        • Otherwise, the originating domain is taken from the server's certificate, and traffic is filtered. HTTPS requests without SNI are blocked.
    • (Optional) If you have more than one Interface, you can select the Spoofing checkbox.
  3. In Step 2: Where, select where the policy should apply:
  4. In Step 3: Options for unauthenticated requests, select who the policy applies to:
    • Nothing to assign requests without authentication to the Unauthenticated IPs group.
    • Everyone to apply to all users.
    • One or more User Groups.
  5. Ensure the Enable Policy checkbox is selected.
  6. Select Confirm.
  7. Review your selections and select Save.

Next steps

You can add a policy to the bottom of the table to block unidentified or unexpected traffic.

  1. Create a Transparent policy to redirect users to the SSL Login page.
  2. For Behavior, select Block HTTPS traffic with no SNI header.
  3. Apply the policy Everywhere for Unauthenticated IPs.

If you are using Spoofing:

  • You can use source NAT and link load balancing policies to manipulate traffic to use specific links. For example, you could force students to use one link and teachers another based on their source IP address.
  • For networks that use multiple Smoothwall On-Premise Appliances, ensure that data is returned to the correct client by routing reply packets addressed to spoofed clients though the same Smoothwall as your Load Balancing system.