Knowledge Base & Forums/Using Endian/Web Proxy

Web Proxy - Authentication (NTLM)

Ben
posted this on April 28, 2011 00:12

Author: Ben
Applies to Platform: UTM >2.4

This lesson will illustrate the necessary steps to configure a more advanced web proxy with Microsoft Active Directory (NTLM) integration on a typical Endian appliance. Using this form of the web proxy, we can use already existing Active Directory groups and users to create filtering profiles for different levels of web access.

Note

The use of Active Directory (NTLM) based authentication is the only way to achieve a "Single Sign-On" solution where users do not have to re-authenticate to the browser. In other words, when a user logs into their machine they are also authenticated for the web proxy automatically.

Configuration Example

?name=media_1301348388051.png

The diagram above illustrates some of the basic steps involved with web proxy authentication (specificially Active Directory). In our specific example, we'll use two AD groups (admin and general users) to define differing levels of filtering with a more restrictive policy for general users.

Enable the Web Proxy

?name=media_1301348839683.png

The first step is to enable the web proxy by clicking the gray button (which will turn green when enabled). We'll set the operational mode for each network we want filtered to be "non-transparent".

Warning

When using the web proxy with authentication the only supported mode is non-transparent.

Configure the Log Settings

?name=media_1301421748373.png

Since we want to have all web access (allowed and blocked) logged for review purposes, we're going to enable the appropriate logging options.

Click Save and then Apply the changes to proceed.

Configure the Content Filter Profile #1 (General Users)

?name=media_1300829711111.png

The first profile we'll build will be for our general users group which will be more restrictive in terms of web access. In this example, we're only going to configure web filtering by URL Blacklist (only) for ease and administration purposes. The first thing we'll do is ensure our HTTP antivirus is enabled by checking the appropriate box. You can select the whole category to block by clicking the green arrow or, alternatively, you can drop down the subcategories and select those individually in order to block some and not others. You can also attach custom white- or blacklists to this profile as well.

Click Update Profile and then Apply the changes to proceed.

Configure the Content Filter Profile #2 (Admin Users)

?name=media_1301349257298.png

The next profile is for the admin group and will be less restrictive for web access. Again we're only using the URL blacklist for simplicity but you can use the other forms of filtering as well.

Note

When you enable web filtering by phrases (Content Filtering) this will block those categories of phrases for content "inside the page" which will result in a more aggressive blocking strategy with potentially a higher false positive rate.

Configure Proxy Authentication

?name=media_1301349324869.png

The next step is to configure the authentication piece of the web proxy which requires joining the Endian appliance to your Active Directory server. The key pieces of information are the (1) Authentication Realm which is just the domain, (2) the Domain name, (3) the PDC hostname of the AD server and (4) the PDC IP address. The BDC information is not required so you can leave this section blank.

Click Save and then Apply the changes to proceed.

Note

The network authentication protocol used in Active Directory (Kerberos) has strict time requirements, which means the clocks of the involved hosts must be synchronized. Best practice is to indicate the PDC and BDC hosts as NTP servers for Endian.

Join the Endian to the AD Server

?name=media_1301349650298.png

Now we can join the domain by providing a Domain Administrative user name and password (one with permissions to perform domain joins).

Once that's done, click Join ADS and you should see a successful message (illustrated above).

Configure the Access Policy (General Users)

?name=media_1301413479678.png

The last step is to create an access policy which will map the content filtering profile based on a specific network configuration. In the example above, we're creating a policy for the Green zone (entire network) for any user in the "general users" group that uses the content filtering profile #1 (default).

Click Create Policy.

Configure the Access Policy (Admin Users)

?name=media_1301350202576.png

Now we'll configure a separate access policy to map any Green network user belonging to the "domain admin" group to use the content filtering profile #2 (admin).

Click Create Policy and then Apply the changes.

Setup Client-Side Configuration

?name=media_1301412212619.png

The easiest solution is to use the Endian web proxy with authentication in a semi-transparent fashion is to have the Endian also handle DHCP for those networks you wish to provide the web proxy. Using this method, all of the necessary DHCP parameters are automatically configured and handed out to Endian client workstations so they detect and use the proxy automatically assuming the above configuration for Internet Explorer is set. This setting "Automatically detect settings" must be enabled (which it is by default) in order for the IE browser to automatically find the proxy without any further manual configuraiton (PAC file).

The IE browser setting can generally be found under Tools > Internet Options > Connections tab > LAN Settings

Test the Web Proxy

?name=media_1300831781271.png

You can test your configuration now by browsing the Internet from the Green network and testing different user logins (admin and general user) to verify the appropriate content filtering profiles are being applied.

Verify Logging

?name=media_1301413718424.png

You should also be able to view all the web traffic in real-time by going to Logs > Live Log Viewer and select the "Web Proxy" log to view. You'll notice in both the live log viewer and regular proxy logs (pictured above) that you can identify the username for individual traffic which can help you in monitoring users web behavior.

 

Comments

User photo
Riaan

Would like to see this expanded to include

1. a mention of what should be done with the firewall setup when using the proxy, as well as the DNS

2. using the local authentication (NCSA)

May 25, 2012 11:40
User photo
Luca Giovenzana
Endian

Thanks Riaan about (1) we could add this kind of hints in this article. About (2) I wuold say we need a different article I'm going to post the request.

May 25, 2012 12:00
User photo
Riaan

Hi Luca
|When making the article about local (NCSA) authentication please put specific emphasis on the WPAD automatic proxy detection - because it does not want to work on 2.4.1, Thanks

May 28, 2012 15:17
User photo
Thao Bui Ngoc

I can't join EW to AD, I'm using EW 2.5.x software

August 12, 2012 17:50
User photo
Rafael Condidorio

I was able to join Endian 2.4.1 into our domain, however, when I tried to create an Access Policy and selected Group Based ou User Based, I received teh following message: Can´t find the AD / LDAP server.

I simply can't understand why this error is occurring and what could be the solution. I tried googling over the internet ofr hours reading several tutorials and guides, however no one says how this problem can be solved.

Thank you all for any information that leads to a clue.

February 04, 2013 18:21
User photo
Luca Giovenzana
Endian

For everybody if you have an enterprise version please open a support ticket, for community I suggest to start by upgrading to 2.5.

February 05, 2013 16:17
User photo
Cleber Constante de Souza

I have the same problem Rafel, with endian 2.5.1 and 2.5.2.

Ad joi run nice. After in the Access Policy i have received  the same message: Can´t find the AD / LDAP server. :(

Luca any sugestion ?

August 28, 2013 23:19
User photo
Alan Denton

To cure the AD / LDAP server not found Add the following
Proxy -> DNS -> DNS routing -> Add new custom nameserver for a domain. Add your AD domain name and the IP address of the primary DNS server in your domain

Network->Edit Hosts->Add a host. Add the name and IP address of the PDC (and BDC if required) you are specifying in the proxy

September 02, 2013 17:07
User photo
Cleber Constante de Souza

I had already done this and the problem persists.

September 02, 2013 18:30
User photo
Luca Radaelli
Endian

try to restart emi service from ssh with this command /etc/init.d/emi restart

September 17, 2013 17:03
User photo
Cleber Constante de Souza

Tks, Luca. But the command dont solved the problem.

I think I'll have to reinstall endian.

 

Any  other sugestions would be welcome.

 

[ ]'s

September 17, 2013 21:03
User photo
Luca Radaelli
Endian

check if the time is synced with your AD controller and run wbinfo -u from ssh,if this command returns an error means that endian is not joined to your AD env or you have dns issue.If you experience other issues i suggest to open a ticket if you are an enterprise customer.

September 18, 2013 11:00
User photo
михаил иванов

I have problem with AD tree. Endian work with one realm.However I wont to authentificate users throw 2 domain in forest. If i manualy edit krb5.conf, it always rewrited by web interface of endian->proxy. How i can authentificate users in AD forest with several domains? Sorry for my english. Thanks.

November 10, 2013 15:28
User photo
Julian Mendax

Hello!

I'm new to Endian, where I come from the world of pfsense and cisco, and when I'm not a very complex environment, where it has about 100 users with a DC server (Windows 2008 Enterprise), and one Endian 3.0 (Core i5) and follow the scratching tutorial link below to set up an "unauthenticated" using proxy "NTLM", using this tutorial and setting itself is correct! Visualize the groups in AD DS and Endian Endian machine container in AD DS in the Window Server 2008;

problem:

The authentication happens perfectly, but not surfing! And already checked the DNS's both (Server / Client) and below follows the settings made

Rules:

https://www.dropbox.com/s/8jt082px1kv4q0w/rules2.PNG


Could someone give me a "light" on what is going on? Accept suggestions for improvements in the environment please thanks.

Julian MendaxCN

 

March 23, 2014 16:05