Your organization makes use of Connect for Chromebooks or Uses Google authentication with SSL login pages and wants to apply filtering policies when network devices are taken off-site.
Additional configuration is required to set this up.
Smoothwall's Secure Global Proxy feature can be used to allow Google users (either by Connect for Chromebooks, or via an SSL / non-SSL login page) to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires the following:
- You must be able to point an external domain name to your publicly facing external IP address
- The Smoothwall must have a fully qualified host name, which must resolvable both internally and externally
- If you have a firewall between the Smoothwall and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall
- An additional Guardian authentication policy Non-transparent > Global Proxy using NTLM with the following configuration:
- Type Non-transparent
- Method Global Proxy using NTLM
- Interface Select the internal network interface used for the Non-transparent > Core authentication policy created previously
- Port Select the relevant internal proxy port
- Where Everywhere
- Options for unauthenticated requests Choose the group configured for unauthenticated Chromebooks. See our knowledge base article, Allowing Access to Google Services.
- Ensure this policy is configured on the same interface as the Non-transparent – Core authentication policy. See our helpt topic, Creating authentication policies.
- Set this supplementary policy directly below the Non-transparent > Core authentication policy created previously
- Use Global proxy to identify the external device, and filter accordingly go to Web proxy > Global proxy > Settings. See our help topic, Identifying global proxy clients and devices.
- We recommend using a Client supplied certificate to identify external devices.
Tip: With Connect for Chromebook devices, client-side certificates must be manually installed directly into each individual Chromebook as they cannot be distributed via the Google Admin console.
- Alternatively, you can identify external devices by means of a Secure URL
- Or by using the No identification (Open proxy) method. You should be aware that this method opens a port on the external interface.
What's Left To Do to setup Connect for Chromebooks?
- Troubleshooting Connect for Chromebooks
- Setting up Google as a Directory with Connect for Chromebooks
- How to Setup Google Verification with Connect for Chromebooks
What's Left To Do to Setup Google Sign-In on SSL Login Pages
- See our help topic, Filtering users using Non-Chromebook Devices (Google Sign-In on SSL Login Pages) and continue with follow-up task, step 4.