Allowing Access to Google Services

If your organization uses Connect for Chromebooks or Google authentication with SSL login pages, and you want to ensure that communication to Google's servers is uninterrupted and all filtering policies are still applied to end-users, you need to create additional filtering and access policies in the Smoothwall Filter and Firewall. This is especially important if your Google devices are used off-site.

From time to time, unauthenticated Chromebook users might attempt to browse the Internet. You can create a group where all such web requests are assigned, then create a Guardian authentication policy to either completely block access or only allow limited access.

Typically, unauthenticated web requests are assigned to the Unauthenticated IPs group. If required, you can create a separate group to handle unauthenticated Chromebooks.

Procedure

  1. To limit or block access to unauthenticated Chromebook users, add a new user group. See our help topic, Adding user groups.
    • Name: "Unauthenticated Chromebook Users"
  2. For new installations, you should already have a non-transparent core authentication policy by default. However, you might need to create it using these settings. See our help topic, Creating authentication policies.
    • Step 1: What
      • Type: "Non-transparent"
      • Method: "Core authentication"
      • Interface: Choose the internal interface used by the Connect for Chromebooks extension or the SSL/non-SSL login pages.
    • Step 3: Options for unauthenticated requests
      • Included groups: Optionally, choose the group created previously for unauthenticated Chromebooks and other unauthenticated Google users.
  3. Make sure that this policy is at the top of the Non-transparent authentication policies table. See our help topic, Managing authentication policies.
  4. To allow devices to be filtered when they're external to the network, you need to create a non-transparent global proxy using NTLM.
    • Step 1: What
      • Type: "Non-transparent"
      • Method: "Global Proxy using NTLM"
      • Interface: Choose the internal interface used by the Connect for Chromebooks extension or the SSL/non-SSL login pages.
    • Step 3: Options for unauthenticated requests
      • Included groups: Optionally, choose the group created previously for unauthenticated Chromebooks and other unauthenticated Google users.
  5. Make sure that this policy is below the Core authentication policy in the Non-transparent authentication policies table.
  6. Create a Connect for Chromebooks authentication exception. See the help topic, Creating authentication exceptions.
    • Manage exceptions:
      • Include categories or category groups: "Connect for Chromebooks"
  7. Create a whitelist policy for the Connect for Chromebooks category with these settings. See our help topic, Creating web filter policies.
    • Who: "Everyone"
    • What: "Connect for Chromebooks"
    • Where: "Everywhere"
    • When: "Always"
    • Action: "Whitelist"
  8. Make sure that this policy is at the top of the Web filter policies table or if you have a multitenant setup, the top of all the tables. See our help topic, Managing web filter policies.
  9. Create a Do not inspect HTTPS policy for the Connect for Chromebooks category with these settings. See our help topic, Creating HTTPS inspection policies.
    • Who: "Everyone"
    • What: Connect for Chromebooks"
    • Where: "Everywhere"
    • When: "Always"
    • Action: "Do not inspect"
  10. Make sure that this policy is at the top of the HTTPS inspection policies table. See our help topic, Managing HTTPS inspection policies.
  11. If they don't already exist, add a Smoothwall access rule for these services to the interface used by the authentication policies. See our help topic, Adding new Smoothwall access rules. If you are using the Hearst release or earlier, add an external access rule instead with the mentioned services.
    • Name: Type a name for your access rule.
    • Services:
      • "Other web access on HTTP (80)"
      • "Other web access on HTTPS (442)"
  12. If your Chromebooks are also used off-site, add external access rules for the two services but also on the External interface.
  13. To set up Google sign-in on SSL login page, see our help topic, Filtering users using Non-Chromebook Devices (Google Sign-In on SSL Login Pages), and our knowledge base article, How do I filter my Google devices when external to the network?