This article is for using on-premise filtering with iOS devices. For filtering using Cloud Filter see: Installing Cloud Filter for IOS
Prerequisites
Before you configure the iOS device, you must prepare the following:
Creating the Proxy.pac File
The proxy.pac
file is an externally resolvable script, hosted on a publicly accessible web server. A basic file contains the host name and external IP address of the Global Proxy proxy server. You add additional commands, such as whether to bypass the proxy server for local addresses or a defined list of domains. An example proxy.pac
file might be as follows:
function FindProxyForURL(url, host) { /* serverip: The external IP address of the Smoothwall. */ var serverip = "1.1.1.1"; /* smoothwallHostname: The host name of the Smoothwall. */ var smoothwallHostname = "smoothwall.local"; /* The global proxy policy port. */ var globalProxyPort = 805; /* If the host is the server, or the localhost matches the host name, * then return direct; and don't go through the proxy. */ if ((host == serverip) || localHostOrDomainIs(host, smoothwallHostname)) { return "DIRECT"; } /* If the host looks like something for an intranet (i.e., contains * no dots), then don't proxy these requests. */ if (isPlainHostName(host)) return "DIRECT"; /* Everything else is subject to being proxied. */ return "PROXY " + serverip + ":" + globalProxyPort; }
Using a Landing Page
A landing page presents useful information to the user. You must configure a landing page to be the home page of browsers used on the iOS devices connected to your network.
When a browser is started on the iOS device, the landing page will redirect to the proxy server, allowing the client-side certificate to be validated.
Configuring the Global Proxy
To redirect web traffic from connected iOS devices to Global Proxy, you need to provision the devices with the Global Proxy settings.
You can either:
- Install the global proxy settings on a single device, and push it through to all other network-connected devices.
- Install the global proxy manually on single devices.
Configuring the global proxy involves configuring a profile on either a macOSx server, or desktop, which is then pushed through to all devices. The preconfigured profile includes:
- A certificate
- A web clip — Only used when certificate checking is turned on
- A global proxy setting
Note: To configure the above, you need to download the free Apple Configurator app from Apple’s App Store. The Apple Configurator app allows mass deployment of profiles to iOS devices suited to corporate or education environments.
To configure the Global Proxy settings, do the following:
- From the Mac OS X server, open the Apple Configurator.
- Open Global HTTP Proxy.
- From the list, set Proxy Type to Auto.
This forces the iOS device to use theproxy.pac
file it's presented. - In Proxy PAC URL, enter the URL that the iOS device uses to retrieve the
proxy.pac
file. - Ensure Allow direct connection if PAC is unreachable isn't selected.
- If users are expected to authenticate via a captive portal, select Allow bypassing proxy to access captive networks.
- Click Save.
You must create a link to the landing page of your Smoothwall to validate the client-side certificate. This link must be used on the iOS device before attempting to use the Safari browser for authentication. This is done in the Web Clips page of the Apple Configurator.
Creating the link to the landing page
- From the Mac OS X server, open the Apple Configurator.
- Open Web Clips.
- Enter a meaningful Label name for the Web Clip.
- Enter the URL to display when the Web Clip is opened, using the format: http://<Smoothwall_System_externalIP>:62444.
- You can provide an Icon for the configured Web Clip
- Click Save.
Adding the Certificate's Password
You now need to add the password that was previously configured for the uploaded client-side certificate.
- Download the Global Proxy certificate (
client.p12
) from your Smoothwall, ensuring that you configure a meaningful password first. - Upload this to the iOS device's internal storage.
- From the Mac OS X server, open the Apple Configurator.
- Open Certificates.
- The client-side certificate you previously uploaded should appear in the Certificate Name box. If it doesn't, enter
client.p12
. - Enter the assigned password for the
PKCS12
file in the Password text box. - Click Save.
Note: If the connecting iOS device is outside the Active Directory domain configured on the Smoothwall, users are required to provide NTLM authentication credentials after the certificate has been validated. These credentials must match the ones configured on the Smoothwall.
Deploying the Global Proxy
You must push the configured global proxy settings out to relevant iOS devices on your network. You do this by either:
- Connecting the iOS device to the Mac OS X server, and copying the global proxy settings over.
- Using the Push wireless service to push the global proxy settings from the Max OS X server out to the iOS devices.
For a detailed description of how to use the Push wireless service, refer to your Apple documentation.
Manually Installing the Global Proxy
The following procedure describes how to configure the Global Proxy settings on a single iOS device.
To manually install the global proxy settings, do the following:
- Download the Global Proxy certificate (
client.p12
) from your Smoothwall, ensuring that you configure a meaningful password first. - Upload this to a web-hosted location.
- Using a Safari browser, browse to the web-hosted
client.p12
certificate.
The Install Profile page displays the identity certificate. - Click Install.
- If prompted, enter the device’s passcode.
- Enter the password you configured for the
client.p12
certificate to confirm the installation of the profile. - When completed, go to the Wi-Fi settings of the iOS device.
- Scroll down to, and open, HTTP Proxy.
- Select Auto.
- In the Proxy PAC URL box, enter the URL that the iOS device uses to retrieve the
proxy.pac
file. - Click Save and exit out of the application.
- Open a Safari browser, and browse to:
https://<Smoothwall_System_externalIP>:62444
.
This validates the installed certificate.
The iOS device uses the certificate as an additional layer of security.
Note: If the connecting iOS device is outside the Active Directory domain configured on the Smoothwall, users are required to provide NTLM authentication credentials when they first open the browser. These credentials must match the ones configured on the Smoothwall.
- The client-side certificate you previously uploaded should appear in the Certificate Name box. If it doesn't, enter
- From the list, set Proxy Type to Auto.