Applies to Platform: UTM 2.4, UTM 2.5
Last Update: 28 April 2011
This lesson will illustrate the necessary steps to configure a more advanced web proxy with Microsoft Active Directory (NTLM) integration on a typical Endian appliance. Using this form of the web proxy, we can use already existing Active Directory groups and users to create filtering profiles for different levels of web access.
The diagram above illustrates some of the basic steps involved with web proxy authentication (specificially Active Directory). In our specific example, we'll use two AD groups (admin and general users) to define differing levels of filtering with a more restrictive policy for general users.
Enable the Web Proxy
The first step is to enable the web proxy by clicking the gray button (which will turn green when enabled). We'll set the operational mode for each network we want filtered to be "non-transparent".
Configure the Log Settings
Since we want to have all web access (allowed and blocked) logged for review purposes, we're going to enable the appropriate logging options.
Click Save and then Apply the changes to proceed.
Configure the Content Filter Profile #1 (General Users)
The first profile we'll build will be for our general users group which will be more restrictive in terms of web access. In this example, we're only going to configure web filtering by URL Blacklist (only) for ease and administration purposes. The first thing we'll do is ensure our HTTP antivirus is enabled by checking the appropriate box. You can select the whole category to block by clicking the green arrow or, alternatively, you can drop down the subcategories and select those individually in order to block some and not others. You can also attach custom white- or blacklists to this profile as well.
Click Update Profile and then Apply the changes to proceed.
Configure the Content Filter Profile #2 (Admin Users)
The next profile is for the admin group and will be less restrictive for web access. Again we're only using the URL blacklist for simplicity but you can use the other forms of filtering as well.
Configure Proxy Authentication
The next step is to configure the authentication piece of the web proxy which requires joining the Endian appliance to your Active Directory server. The key pieces of information are the (1) Authentication Realm which is just the domain, (2) the Domain name, (3) the PDC hostname of the AD server and (4) the PDC IP address. The BDC information is not required so you can leave this section blank.
Click Save and then Apply the changes to proceed.
Join the Endian to the AD Server
Now we can join the domain by providing a Domain Administrative user name and password (one with permissions to perform domain joins).
Once that's done, click Join ADS and you should see a successful message (illustrated above).
Configure the Access Policy (General Users)
The last step is to create an access policy which will map the content filtering profile based on a specific network configuration. In the example above, we're creating a policy for the Green zone (entire network) for any user in the "general users" group that uses the content filtering profile #1 (default).
Click Create Policy.
Configure the Access Policy (Admin Users)
Now we'll configure a separate access policy to map any Green network user belonging to the "domain admin" group to use the content filtering profile #2 (admin).
Click Create Policy and then Apply the changes.
Setup Client-Side Configuration
The easiest solution is to use the Endian web proxy with authentication in a semi-transparent fashion is to have the Endian also handle DHCP for those networks you wish to provide the web proxy. Using this method, all of the necessary DHCP parameters are automatically configured and handed out to Endian client workstations so they detect and use the proxy automatically assuming the above configuration for Internet Explorer is set. This setting "Automatically detect settings" must be enabled (which it is by default) in order for the IE browser to automatically find the proxy without any further manual configuraiton (PAC file).
The IE browser setting can generally be found under Tools > Internet Options > Connections tab > LAN Settings
Test the Web Proxy
You can test your configuration now by browsing the Internet from the Green network and testing different user logins (admin and general user) to verify the appropriate content filtering profiles are being applied.
You should also be able to view all the web traffic in real-time by going to Logs > Live Log Viewer and select the "Web Proxy" log to view. You'll notice in both the live log viewer and regular proxy logs (pictured above) that you can identify the username for individual traffic which can help you in monitoring users web behavior.
Would like to see this expanded to include
a mention of what should be done with the firewall setup when using the proxy, as well as the DNS
using the local authentication (NCSA)
Thanks Riaan about (1) we could add this kind of hints in this article. About (2) I wuold say we need a different article I'm going to post the request.
|When making the article about local (NCSA) authentication please put specific emphasis on the WPAD automatic proxy detection - because it does not want to work on 2.4.1, Thanks
I can't join EW to AD, I'm using EW 2.5.x software
I was able to join Endian 2.4.1 into our domain, however, when I tried to create an Access Policy and selected Group Based ou User Based, I received teh following message: Can´t find the AD / LDAP server.
I simply can't understand why this error is occurring and what could be the solution. I tried googling over the internet ofr hours reading several tutorials and guides, however no one says how this problem can be solved.
Thank you all for any information that leads to a clue.
For everybody if you have an enterprise version please open a support ticket, for community I suggest to start by upgrading to 2.5.
I have the same problem Rafel, with endian 2.5.1 and 2.5.2.
Ad joi run nice. After in the Access Policy i have received the same message: Can´t find the AD / LDAP server. :(
Luca any sugestion ?
To cure the AD / LDAP server not found Add the following
Proxy -> DNS -> DNS routing -> Add new custom nameserver for a domain. Add your AD domain name and the IP address of the primary DNS server in your domain
Network->Edit Hosts->Add a host. Add the name and IP address of the PDC (and BDC if required) you are specifying in the proxy
I had already done this and the problem persists.
try to restart emi service from ssh with this command /etc/init.d/emi restart
Tks, Luca. But the command dont solved the problem.
I think I'll have to reinstall endian.
Any other sugestions would be welcome.
check if the time is synced with your AD controller and run wbinfo -u from ssh,if this command returns an error means that endian is not joined to your AD env or you have dns issue.If you experience other issues i suggest to open a ticket if you are an enterprise customer.
I have problem with AD tree. Endian work with one realm.However I wont to authentificate users throw 2 domain in forest. If i manualy edit krb5.conf, it always rewrited by web interface of endian->proxy. How i can authentificate users in AD forest with several domains? Sorry for my english. Thanks.
I'm new to Endian, where I come from the world of pfsense and cisco, and when I'm not a very complex environment, where it has about 100 users with a DC server (Windows 2008 Enterprise), and one Endian 3.0 (Core i5) and follow the scratching tutorial link below to set up an "unauthenticated" using proxy "NTLM", using this tutorial and setting itself is correct! Visualize the groups in AD DS and Endian Endian machine container in AD DS in the Window Server 2008;
The authentication happens perfectly, but not surfing! And already checked the DNS's both (Server / Client) and below follows the settings made
Could someone give me a "light" on what is going on? Accept suggestions for improvements in the environment please thanks.