Use this page to create nontransparent and transparent authentication policies.
Prerequisites
For a transparent policy:
- You must set up the DNS correctly on your network so that users' devices can resolve the short form of the Smoothwall Filter host name, for example: resolve mysystem for the host name mysystem.example.com.
- Users' devices and the Smoothwall Filter must be within the same DNS domain.
- Internet Explorer must be configured to authenticate with intranet sites automatically.
Procedure
For a nontransparent policy
- On the WEB PROXY menu, under the Authentication submenu, click Policy wizard.
- Under the Step 1: What section, from the Type options, select to create a Non-transparent authentication policy.
- From the Method list, select one of the Authentication Methods.
- From the Interface list, select the interface on which to apply the authentication policy.
- From the Port list, select the relevant port number for your Smoothwall to listen on for proxy requests.
- Click Next.
- Under the Step 2: Where section, from the Available locations list, select the location at which the policy will apply and click Add ». Once you have added all your locations, click Next.
- Under the Step 3: Options for unauthenticated requests section, from the Available groups list, select a group that you want to assign requests and click Add ».
- When requests are permitted without requiring authentication, for example, entries on the Exceptions page, the Smoothwall assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list.
- Make sure that the policy is turned on by making sure that the Enable Policy option is selected. Once you are satisfied, click Confirm.
- Review your selections and click Save to create the policy.
For a transparent policy
- On the WEB PROXY menu, under the Authentication submenu, click Policy wizard.
- Under the Step 1: What section, from the Type options, select to create a Transparent authentication policy.
- From the Method list, select one of the Authentication Methods.
- From the Interface list, select the interface on which to apply the authentication policy.
- To transparently intercept HTTPS traffic, select the Filter HTTPS traffic option and from the Behavior list, select how the Smoothwall Filter handles HTTPS requests without a Server Name Indication (SNI).
-
SNI provides the domain name for transparent HTTPS requests. Without this, only the IP address is known, making it difficult to distinguish genuine requests.
Note: Some clients make HTTPS requests without Server Name Indication (SNI), such as, the Google Chrome updater, older versions of Google Drive, and Dropbox, so valid requests might be blocked.
From the Behavior drop-down, choose one of the following:
- Block HTTPS traffic with no Server Name Indication (SNI) header
- Allow Transparent HTTPS incompatible sites — HTTPS traffic that does not contain Server Name Indication (SNI), and whose originating IP address is listed in the Transparent HTTPS incompatible sites Standard category is allowed through without further filtering. All other HTTPS traffic without Server Name Indication (SNI) is blocked.
- Filter by using name from certificate — All HTTPS traffic that does not contain Server Name Indication (SNI) is filtered accordingly, based on the domain name taken from the destination server's certificate.
Note: Some certificates use wildcard characters in domain names, such as, *.google.com. The Smoothwall Filter treats these as normal characters. Therefore, they should be listed as such when used in categories.
- Allow Transparent HTTPS incompatible sites and filter others by using the name from the certificate — This is a combination of the previous two options: if the originating IP address is listed in the Transparent HTTPS incompatible sites category then HTTPS traffic is allowed through without further filtering, else the originating domain is taken from the server's certificate and traffic filtered accordingly.
However, it should be noted that some clients make HTTPS requests without Server Name Indication (SNI), such as, the Google Chrome updater, older versions of Google Drive, and Dropbox, so valid requests might be blocked.
-
- To make sure that traffic leaving the Smoothwall has the source IP address of the client making the web request and not the IP address of Smoothwall, select the Spoofing option.
-
For customers with multiple external connections, with spoofing you can use source NAT and link load balancing policies (see Using Source NAT and LLB Rules) to manipulate traffic to use specific links. For example, forcing students to use to use one link and teachers another, based on their source IP address.
Note: For networks that make use of multiple Smoothwall Filters, such as, in a cluster, or centrally managed configuration, you should take steps to make sure that reply packets addressed to the spoofed client are routed back through to the same Smoothwall. This ensures that data is returned properly to the correct client.
Tip: If the Bandwidth module has been installed on your Smoothwall, you can control the bandwidth used by the Smoothwall Filter traffic, for example, limiting bandwidth available to your network with bring your own devices (BYOD). To take advantage of the full functionality of the Bandwidth module, you need a Layer 7 license.
-
- Click Next.
- Under the Step 2: Where section, from the Available locations list, select the location at which the policy will apply and click Add ». Once you have added all your locations, click Next.
- Under the Step 3: Options for unauthenticated requests section, from the Available groups list, select a group that you want to assign requests and click Add ».
- When requests are permitted without requiring authentication, for example, entries on the Exceptions page, the Smoothwall assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list.
- Make sure that the policy is turned on by making sure that the Enable Policy option is selected. Once you are satisfied, click Confirm.
- Review your selections and click Save to create the policy.
Follow-up task
- Place the policy in the order that you want it to be applied, see our help topic, Managing authentication policies.