Smoothwall Proxy settings, applications and mobile devices

:::Proxy:::
(client sends the request to the web proxy. web proxy retrieves the page on the client’s behalf and the sends it back to the client)
(proxies are used to handle web traffic, but other services can also be handled e.g. DNS proxy)
(Squid web proxy is used on the smoothwall as a proxy engine)(but smoothwall has created a web interface for setting up proxies)
:Two types of proxies configurations:
1.Non-transparent:
(run on a specific port)(browsers are applications are told where the proxy is in order to use it)
2.Transparent:
(works by intercepting web traffic and routing it through the web proxy)
(in order for this to work the traffic need to be physically passed through the interface on the SWG)
(using SWG as the default gateway and using bridged interfaces to achieve this)

:WCCP(Web Content Caching Protocol):(a cisco feature)
(cisco routers and switches can be configured to intercept web traffic and forward it to the web proxy)
(SWG also supports WCCP)

(smoothwall recommends non-transparent proxy as transparent proxy can cause some issues)
(client need to know where the proxy is and what the port number is)

:Dashboard->web filter->Statistics: (shows the web filter health and status of the system)
Uptime: 0d 9h 39m
Web requests: 19
Average request rate: 0.0/min
Median service time (last 5 minutes): 0.00000s
Requests blocked (last 24 hours): 0.0%

:Authentication:
1.Proxy authentication standard gives a pop-up dialog for the user to enter the u/p, which is not recommended.
2.pass through methods such as kerberos and NTLM are recommended. u/p are logged on and verified automatically.
(but some application do not support this)(especially non-web applications)(very common issues from the customers)
(browsers, applications and OS need to support these methods)
(if applications do not support them, it tends to be difficult to tshoot them, as no errors are shown)

:Browsers:
1.SWG works with all web browsers:
1.Safari
2.Firefox
3.Chrome
4.Opera
5.IE
(they all have proxy settings)

:Applications:
(there are numerous applications that use web ports and protocols)
e.g:
1.Google Drive
2.Dropbox
3.Google Earth
(applications that do not support authentication or web proxy in general is difficult)
(all applications have different types of behaviour)
(one method of fixing application proxy authentication problem is to bypass authentication)
(we need to know what domains and IP addresses the application talks to)
(Web proxy » Authentication » Exceptions)(for adding the category groups and/or swurl lists)
(e.g: application like dropbox which talks to only one domain dropbox.com is easy)
(but if an application that talks to dynamic list of IPs such as skype it is difficult) (so by passing an authentication for a destination is not an option)
Solutions:
1.(by passing a web filter requires another proxy to be setup and the application told to use this proxy instead of the proxy that requires authentication)
(e.g: Non-transparent proxy 192.168.136.168:805 / Test location : no authentication)

2.(we can bypass the proxy completely)

3.(we can use another authentication method other than pass through)
(e.g: use SSL login authentication method)(solves any or all authentication issues with applications)

:Mobile Devices:
1.Tablets (iPad and Android tablets)
2.Phones (iPhones, Windows Phones and Android Phones)
3.Kindles
4.Laptops
(non of the mobile devices support pass through authentication support and proxy support is hit and mis)
(some OSes like iOS has fairly good support for proxies, but this doesn’t mean that the applications running on these platforms use those settings)
1.For mobile devices i.e. Wifi or BYOD, there are only 2 viable options:
1.SSL login method
2.802.1x Enterprise method (rely on the DHCP server on UTM)
3.Global proxy settings(only on iOS7)(using smoothwall connect client)(also available for windows OS)

:HTTPS:
(handling https traffic can be daunting too)
(smoothwall has features such as decrypt and inspect and validate certificates)
(SWG can even transparently proxy https traffic)

:::::::Proxy settings and applications::::::::
(you can have any number of proxies using any number of authentication methods)
(you can have multiple authentication methods on the same proxy based on the location the client is coming from)
(most issues are usually related to the proxy authentication)
Web proxy » Authentication » Policy wizard:
:Proxy Authentication Methods:
1.Pass through methods:
(not all applications or OS supports them)
1.kerberos
2.NTLM
(one method for applications which do not support them is to by pass the application from proxy authentication)
(Web proxy » Authentication » Exceptions: in exceptions menu we can add categories which do not require authentication)
(but the same categories also need to be allowed in the everyone group in the web filter policies)

2.Redirect users to SSL login page (with background tab)(with session cookie):
(user can login to SSL login page before getting the web access)(https://192.168.56.99:442/login)
(it requires the users to be logged in first before the application can get access to the web)
(also for the wifi connections before accessing the web)

3.Identification by location:
(place users in a specific IP based group and give access based on this group)
(location to users or user groups mapping is done in the ident by location section:Web proxy » Authentication » Ident by location)

4.NTLM and Kerberos (via redirect methods are used by transparent proxies)
(when a new user connects it asks the user to credentials, before letting the user proceed)

e.g:
(two non-transparent proxies)
Non-transparent proxy 192.168.136.168:800 with 3 locations and authentication methods:
1.server location : identification by location
2.staff PCs : redirect users to SSL login page (with session cookie)(staff uses many applications that use proxy)
3.Everywhere: NTLM authentication
Non-transparent proxy 192.168.136.168:805 with 1 locaiton and authentication method
1.Test location : no authentication
(used to tshoot the applications)
(1 transparent proxy) (intercepts all the traffic on the interface on which the proxy is configured on)
(also intercepts the https traffic)(application need to be complient with SNI for https inspection)
1.Everywhere : no authentication
Filter HTTPS traffic: ticked
Allow HTTPS traffic with no SNI header for the ‘Transparent HTTPS incompatible sites’ category: ticked
(non-SNI supported sites will not be filters, only SNI supported sites will be filtered)

5.Client Proxcy settings:
IE:
1.automatically detect settings:
There are two ways the automatic proxy settings can be configured:
1.DNS server (used by IE and all other browsers)(adding a wpad hostname to the dns as an alias that points to the server that is hosting the proxy script)
(browser set as automatically detect settings will ask for wpad.dat if the wpad hostname is resolved)(which is the same as the proxy.pac file) (knowledgebase)
2.DHCP server (used by IE)(option 252)(option 252 is already configured on smoothwall if used as a DHCP server, but on MS it need to be configured over various scopes) (knowledgebase)
2.use automatic configuration script: address: http://192.168.136.168/proxy.pac
3.manual settings:
proxy server: 192.168.136.168:800
bypass proxy server for local addresses
(proxy is not used if only hostname is used, but will be used domain name is used)
(e.g: http://intranet proxy will not be used)(http://intranet.mydomain.local proxy will be used)
(when an application is using a proxy the client will not do DNS lookup, it sends the request to the proxy and the proxy does the DNS lookup on client’s behalf)
(if client or application is not using a proxy or is behind the transparent proxy then it will definitely do DNS lookup and then send requests out to IP address)
(good for tshooting)

(mobile devices usually do not support automatic proxy settings)
(both android and iOS has proxy settings available in the wifi settings section)
(iOS supports proxy.pac files and is recommended to be used)
(android does not support proxy.pac file)(settings need to be manually defined)

(smoothwall can auto generate proxy.pac and wpad.dat files)(
(these files can be customised in the web proxy->automatic configurations section)(exceptions can be added and also regular expressions can be used)

(some non-web applications can use system proxy settings and some don’t have settings at all)
(commonly they don’t support any authentication methods other than the basic proxy authentication)
(thsoot is is difficult as no messages are generated)(use the transparent test proxy)

(when using a transparent proxy application may have some issues with https)(recommended to use non-transparent proxy)
(www.support.microsoft.com/kb/271361)

Advertisements

Posted on May 13, 2014, in Smoothwall. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: