Using Your Google Account as a Directory and Applying Your Filter Policies to Your Devices

If you want to use your G Suite account as your Google directory to authenticate your users and apply your web filter policies, you need to connect your Google account to your Smoothwall Filter.

Prerequisites

In your Google API (Cloud Platform) console:

  1. Create a service account, see the Google help topic, Create a service account:
    • Make sure you enable the Admin SDK API for the service account.
    • Make sure that you take a copy of these: 
      • Client ID
      • JSON key
    • When creating your service account, DO NOT perform the optional task of assigning a role to the account. Leave this blank.

In your Google Admin console:

  1. Amend your advanced security settings to add API client access for your service account, see the Google help topic, OAuth: Managing API client.
    • Client Name: Type the Client ID for your Google service account.
    • One or More API Scopes: "https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly"
  2. Block multiple sign-in access for your users, see the Google help topic, Multiple sign-in access:
    • User & Browser Settings:
      • User experience:
        • Multiple sign-in access: "Block multiple sign-in access for users in this organization."

In your Smoothwall Filter and Firewall:

  • Make sure that it is not subject to any firewall policies that would block the Internet Control Message Protocol (ICMP).
  • Make sure that you have created your local user groups so that you can map to these, see our help topic, Adding user groups.
  • To prevent the username synchronization from failing, make sure that the time set on your Smoothwall Filter and Firewall matches the time set in your Google G Suite domain, see our help topic, Setting the system's time and providing a time service.

Procedure

Non-Chromebooks, for example, Windows-based or macOS-based devices

In your Google API console:

  1. Create a Google web application, see our knowledge base article, Creating the Client ID and Client Secret for Google Authentication.
  2. Make a note of your:
    • Client ID
    • Client Secret

Both Chromebooks and non-Chromebooks

In your Smoothwall Filter and Firewall:

  1. Add a new Google directory connection, see our help topic, Adding a Google directory.
    • This is where you need your JSON key.
  2. Synchronize your users, see the help topic, Synchronizing Google users, groups and organizational units.
  3. Map your Google users to your local users in the Smoothwall Filter and Firewall, see our help topic, Mapping Google directory groups to local Smoothwall Filter and Firewall groups.
  4. Configure the Google and Chromebook connections with these settings, see our help topic, Configuring the Google and Chromebook settings:
    • Non-Chromebooks only:
      • Validate user identity: "Yes"
        • Client ID: "The Client ID that you noted from your Google API console."
        • Client Secret: "The Client Secret that you noted from your Google API console."
      • Google Sign-In button: "Yes"
      • Connect for Chromebooks: "Yes"
      • Approved domains: "Optionally, select this option and type the list of domains from which you want to accept logons and apply filters based on group membership."
      • Remove domain name: "Optionally, select this option if your directory service doesn't need the domain name to form part of the username to log on."
    • Chromebooks only:
      • Connect for Chromebooks: "Yes"
      • Approved domains: "Optionally, select this option and type the list of domains from which you want to accept logons and apply filters based on group membership."
      • Remove domain name: "Optionally, select this option if your directory service doesn't need the domain name to form part of the username to log on."
  5. Download the HTTPS certificate, see our help topic, Downloading the HTTPS certificate.
    • HTTPS Certificate

In your Google Admin console:

  1. Add the HTTPS Certificate that you downloaded and select this option, see the Google help topic, Manage certificates:
    • Use this certificate as an HTTPS certificate authority.
  2. Add the Smoothwall Connect for Chromebooks Chrome extension, see the Google help topic, Add apps and use this ID to add the app:
    • Add Chrome app or extension by ID:
      • Extension ID: ldmijmkolialklggnnlgaodhaemipjmn
  3. Set the extension to install automatically, see the Google help topic, Automatically install apps and extensions:
    • Installation policy: "Force install"
  4. Configure the additional applications settings, see the Google help topic, Set app and extension policies - App and extension install sources:
    • App and extension install sources: "https://clients2.google.com/service/update2/crx"
  5. Add the proxy details for the Smoothwall appliance that filters web traffic, see the Google help topic, Make settings in your Admin console:
    • Network:
      • Proxy mode: "Always use the proxy specified below"
        • Proxy server URL: Enter the Smoothwall Filter and Firewall host name and port number. The port number must be the same as the one used for the non-transparent core authentication policy.
        • Proxy bypass list: Type the host name of the proxy in its URL format not by the IP address, for example, proxy.smoothtest.com.
  6. Block any other extensions from being installed, see the Google help topic, Allow or block apps and extensions.

In your Smoothwall Filter and Firewall:

  1. Create a whitelist web filter policy for the Connect for Chromebooks category with these settings, see our help topic, Creating web filter policies:
    • Who: "Everyone"
    • What: "Connect for Chromebooks"
    • Where: "Everywhere"
    • When: "Always"
    • Action: "Whitelist"
  2. Make sure that this policy is at the top of the Web filter policies table or if you have a multitenant setup, at the top of all the tables, see our help topic, Managing web filter policies.
  3. Create a do not inspect HTTPS inspection policy with these settings, see our help topic, Creating HTTPS inspection policies:
    • Who: "Everyone"
    • What: "Connect for Chromebooks"
    • Where: "Everywhere"
    • When: "Always"
    • Action: "Do not inspect"
  4. Make sure that this policy is at the top of the HTTPS inspection policies table, see our help topic, Managing HTTPS inspection policies.
  5. To allow access to Google's services add a Smoothwall access rule for the interface used, see our help topic, Adding new Smoothwall access rules.
    • Name: Type a name for your access rule.
    • Services:
      • "Other web access on HTTP (80)"
      • "Other web access on HTTPS (442)"
  6. If your devices are also used off-site, add external access rules for the two services but also on the External interface.
  7. If your devices are taken and used off-site, you can still apply the same filtering policies applied to users that are on your network, such as, blocking all gaming and gambling websites to all students, see our help topic, Identifying global proxy clients and devices.

Follow-Up Tasks

  1. Test your setup by logging on to one of your devices using valid user credentials:
  2. If your devices use a common startup page, you might see a block page instead of the startup page. This is because Google prioritizes user authentication over launching third party apps, and the Connect for Chromebooks extension doesn't know that the user is authenticated and blocks access.
    • In this scenario, the Connect for Chromebooks icon is gray but only for a matter of seconds before everything is started normally.
  3. Open a Chrome browser. You should see the Connect for Chromebooks icon in the browser's icon tray in the top right.
    • If the icon is a green shield, the extension is connected and functioning.
  4. Go to a website that is allowed for that user. This should be successful.
  5. Now, try going to a website that is blocked for that users. You should see the block page now.