Smoothwall Filter uses authentication to:
- Identify users and assign them to groups so that different policies can be applied to each group.
- Allow access to registered users or trusted devices.
- Provide logging and auditing facilities in case of misuse.
- Show which users are accessing content in real time.
Best practice
BYOD
You can’t authenticate unmanaged devices, also known as Bring Your Own (BYO) devices, in a Cloud-only setup. These could be phones, tablets or personal laptops that students or staff bring from home and connect to your network.
- Use a Smoothwall On-Premise Appliance to filter these devices on your organisation’s network.
- We recommend using RADIUS Authentication.
School-managed devices
Your organisation provides managed devices for use on-site or at home, such as Chromebooks and laptops.
- We recommend using Smoothwall Cloud Filter to filter these devices with our Agents and Extensions.
- You can use IDex , Google or Azure as your Authentication service.
If you can’t use Cloud Filter, but your devices stay on your network (such as desktops in libraries or laptops which students don’t take home), follow these guidelines:
- To send Safeguarding Alerts and track usernames of users accessing sites:
- Use IDex with the Smoothwall On-Premise Appliance.
- If you can’t use IDex, use one of our supported Authentication Methods.
- If you don’t need Safeguarding Alerts or don’t need to track username browsing history, use the No authentication option.
Authentication using Smoothwall Cloud Filter
Your authentication service ( IDex, Google or Azure) authenticates users. Smoothwall Cloud Filter checks the username against User Group membership. The User Group determines whether Smoothwall filter blocks or allows websites and content based on your Web Filter policies.
Authentication using Smoothwall On-Premise Appliance
When the Smoothwall Appliance acts as a Web Proxy, it can identify users and assign them to a User Group. Web Proxy authentication policies are rules that govern how the Smoothwall Appliance identifies users. The User Group determines whether Smoothwall Filter blocks or allows websites and content based on your Web Filter policies.
See an overview of the available Authentication Methods and how to create Web Proxy authentication policies.
Types of Authentication using Smoothwall On-Premise Appliance
The Web Proxy can authenticate users in three ways: External, Direct, and Indirect. You can set up multiple Web Proxy authentication policies and use one or more types, depending on the devices on your network.
External Authentication
The authentication service automatically verifies a user's identity using information from an external source. This option is the easiest for users, but it typically requires them to sign in to the device first.
Direct Proxy Authentication
The authentication service automatically verifies a user’s identity using information provided by the web browser or application accessing the Internet for each web request. Not all applications support this method, so you may need to add Authentication Exceptions.
Indirect Proxy Authentication
Users are authenticated automatically or prompted to enter a valid username and password. When the device authenticates, the user’s identity is remembered for a period of time, and the device will re-authenticate after that timeout. For example, the SSL and non-SSL login pages can verify the user’s identity using an on-premises Active Directory server, Azure AD, or Google Workspace.
Transparent or Non-transparent Web Proxying
You can create Transparent or Non-transparent Web Proxy authentication policies to tell the Smoothwall Appliance which type of Proxy to act as in different scenarios.
You can have as many Transparent or Non-transparent Web Proxy authentication policies as you need, using any available Authentication Method.
Transparent Proxy
Transparent Proxying is most commonly used in mixed environments containing different operating systems and unmanaged devices, such as BYO devices. This allows quick access (such as to the Internet) for everyone without requiring users to configure device settings.
All traffic destined for the Internet arriving on port 80 and port 443 (optional) is automatically redirected through the Web Proxy and authenticated according to the policy.
When using Smoothwall as a Transparent Proxy:
- Client devices must not be multi-homed (connected to multiple LANs, such as wired and wireless simultaneously).
- Client devices must not be dual-stacked. For example, they must not use both IPv4 and IPv6 addresses.
Non-transparent Proxy
Non-transparent Proxying requires clients to authenticate for every request, so devices must have Proxy Settings explicitly set to use Smoothwall Filter as their Web Proxy. This can make the initial configuration of a Non-transparent Proxy more complex.
However, using a Non-transparent Proxy allows you to use a wider range of authentication methods, because the device can recognise that a Web Proxy is being used and is safe to provide user information to.
You can configure Non-transparent Proxying in several ways, including:
- Manually: Entering Proxy Settings in most web browsers and web-enabled applications, in the Connection Settings or similar. You can find the Proxy Address and the Proxy Port Number on the Web Proxy Settings page.
- Automatic configuration script: Using an Automatic configuration script or Automatic discovery.
- Microsoft Active Directory: In a Windows domain, you can configure proxy settings in a domain security policy.
- Microsoft Windows login script: Import a registry file to automatically configure the system-wide Proxy Settings.
- .ini files: Browsers like Firefox can be configured automatically with .ini files. You can copy or modify these files as part of the login script on a Microsoft Windows or Linux network.
- Third-party solutions that automatically configure Proxy Settings at sign-in.