To set up filtering policies when devices are taken off-site for devices using Connect for Chromebooks or Google authentication with SSL login pages, you need some additional configuration.
You can use the Smoothwall Filter and Firewall Secure Global Proxy feature to allow Google users to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires that:
- You must be able to point an external domain name to your publicly facing external IP address.
- The Smoothwall Filter and Firewall must have a fully qualified host name, which must resolvable both internally and externally.
- If you have a firewall between the Smoothwall Filter and Firewall, and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall.
You also need an additional Non-transparent Global Proxy using NTLM authentication policy with this configuration. See the help topic, Creating authentication policies.
- Type: "Non-transparent"
- Method: "Global Proxy using NTLM"
- Interface: The internal network interface used for the Non-transparent Core authentication that you should have already. See our helpt topic, Creating authentication policies.
- Port: Select the relevant internal proxy port.
- Where "Everywhere"
- Options for unauthenticated requests: Choose the group configured for unauthenticated Chromebooks. See our knowledge base article, Allowing Access to Google Services.
Set this policy directly below the Non-transparent Core authentication policy.
To identify the external device use Global proxy, and filter accordingly. See our help topic, Identifying global proxy clients and devices.
- Device Identification:
- "Client supplied certificate" - We recommend that you use this to identify external devices. You must install client-side certificates for Connect for Chromebook devices directly into each individual Chromebook manually because they can't be distributed via the Google Admin console.
- "Secure URL" - Alternatively, you can identify external devices by means of a URL.
- "No identification (Open proxy)" - Or you can use this method. However, you should be aware that this method opens a port on the external interface.