A Primer on Double Filtering.
Smoothwall Cloud Filter provides a versatile and effective filtering solution for remote working and learning. In a 'Hybrid' solution, there will be an on-prem Smoothwall appliance or hosted VM handling local web traffic as a proxy server and providing the Cloud Filter configuration.
To avoid complications arising from the interaction between Cloud Filter devices which may have returned to the site and the on-prem solution, such as double-filtering or filtering inconsistencies due to authentication, the following pointers should be taken into consideration:
- The Cloud Filter devices (Chromebooks or Windows 10 devices) should be segregated into their own VLAN wherever possible. This makes it simple to configure the Smoothwall Firewall & Filter appliance to ignore the Cloud Filter devices.
OR - The 'Secret Knock' should be enabled on the Smoothwall Firewall & Filter to permit Cloud Filter devices to request filtering bypass from the on-prem solution where VLANS are not feasible.
Let's look at these in turn.
Option 1: VLANs
VLANs are by far the easiest way to handle Cloud Filter Devices. With the Cloud Filter devices easily definable from a networking perspective, you can exempt them from filtering on the Smoothwall Filter & Firewall. There are a few ways to achieve this:
- Navigate to Guardian > Web Filter > Exceptions and enter the VLAN subnet into the Source IP Exceptions list and save the change. Any web-traffic from that subnet will then bypass the Guardian Web Filter and move to the Firewall module to be allowed outbound. This is not an overly recommended route, but can be used in a pinch.
- Where the Smoothwall Firewall & Filter is deployed with VLAN interfaces created, you can add the new VLAN to the Smoothwall without a Proxy Authentication policy, therefore all traffic from that VLAN (using the Smoothwall as the gateway) will go unfiltered by Guardian and go straight out to the Internet via the Firewall module.
Option 2: Secret Knock
Where VLANs are not feasible, or are in use but shared with non Cloud Filter Devices (BYOD networks, general WiFi, etc) then the Secret Knock should be configured.
- Firstly, ensure the hostname of the Smoothwall Firewall & Filter is resolvable via local DNS.
- Log-in to your Smoothwall Filter & Firewall Admin U.
- Navigate to Network > Firewall > Smoothwall Access. Create a new access rule to open the Smoothwall Bypass port internally. A basic configuration as follows:
Name: Cloud Filter Bypass
Client IP: Any
Inbound Interface: All Internal
Destination IP: Any
Services: Cloud Filter Bypass (6150)
Groups: Any
Action: Accept - Navigate to Guardian > Client interfaces > Cloud Filter and configure the Hostname/IP of the Smoothwall's internal interface and a Refresh Time, which will dictate how often, in seconds, the Cloud Filter devices request a bypass from the Smoothwall Firewall & Filter. We recommend 600 seconds.
- Log out of the Admin UI to force this config change to the Cloud.
NOTE: Option 1 & 2 both exempt the client device from on-prem filtering, as such it is highly recommended that the Cloud Filter devices be managed in such a way that no other browser other than one equipped with the Cloud Filter Extension be allowed as this may result in unfiltered internet access through the additional browser.