Your organization makes use of:
- Connect for Chromebooks
- Uses Google authentication with SSL login pages
and wants to apply filtering policies when network devices are taken off-site.
Additional configuration is required to set this up.
Smoothwall's Secure Global Proxy feature can be used to allow Google users (either by Connect for Chromebooks, or via an SSL / non-SSL login page) to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires the following:
- You must be able to point an external domain name to your publicly facing external IP address
- The Smoothwall must have a fully qualified hostname, which must resolvable both internally and externally
- If you have a firewall between the Smoothwall and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall
- An additional Guardian authentication policy Non-transparent > Global Proxy using NTLM with the following configuration:
- Type Non-transparent
- Method Global Proxy using NTLM
- Interface Select the internal network interface used for the Non-transparent > Core authentication policy created previously
- Port Select the relevant internal proxy port
- Where Everywhere
- Options for unauthenticated requests Choose the group configured for unauthenticated Chromebooks (see How do I allow Google services through my Smoothwall?
- Ensure this policy is configured on the same interface as the Non-transparent – Core authentication policy see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm
- Set this supplementary policy directly below the Non-transparent > Core authentication policy created previously
- Use Global proxy to identify the external device, and filter accordingly go to Web proxy > Global proxy > Settings
- We recommend using a Client supplied certificate to identify external devices.
Tip: With Connect for Chromebook devices, client-side certificates must be manually installed directly into each individual Chromebook as they cannot be distributed via the Google Admin console.
- Alternatively, you can identify external devices by means of a Secure URL
- Or by using the No identification (Open proxy) method. You should be aware that this method opens a port on the external interface.
What's Left To Do to setup Connect for Chromebooks?
- Go back to How to Setup Google as a Directory with Connect for Chromebooks
- Go back to How to Setup Google Verification with Connect for Chromebooks
What's Left To Do to Setup Google Sign-In on SSL Login Pages
- Go back to the help article, Filtering Users Using Non-Chromebook Devices (Google Sign-In on SSL Login Pages) and continue from step 8.