How do I filter my Google devices when external to the network?

Article #: Product Castle

Connect for Chromebooks

Google Sign-In on SSL Login Pages

Glamis onwards


Your organization makes use of:

  • Connect for Chromebooks


  • Uses Google authentication with SSL login pages

and wants to apply filtering policies when network devices are taken off-site.


Additional configuration is required to set this up.


Smoothwall's Secure Global Proxy feature can be used to allow Google users (either by Connect for Chromebooks, or via an SSL / non-SSL login page) to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires the following:

  • You must be able to point an external domain name to your publicly facing external IP address
  • The Smoothwall must have a fully qualified hostname, which must resolvable both internally and externally
  • If you have a firewall between the Smoothwall and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall
  • An additional Guardian authentication policy — Non-transparent > Global Proxy using NTLM — with the following configuration:
    • Type — Non-transparent
    • Method — Global Proxy using NTLM
    • Interface — Select the internal network interface used for the Non-transparent > Core authentication policy created previously
    • Port — Select the relevant internal proxy port
    • Where — Everywhere
    • Options for unauthenticated requests — Choose the group configured for unauthenticated Chromebooks (see How do I allow Google services through my Smoothwall?
    • Ensure this policy is configured on the same interface as the Non-transparent – Core authentication policy — see
    • Set this supplementary policy directly below the Non-transparent > Core authentication policy created previously
  • Use Global proxy to identify the external device, and filter accordingly — go to Web proxy > Global proxy > Settings
    • We recommend using a Client supplied certificate to identify external devices.
    • Tip: With Connect for Chromebook devices, client-side certificates must be manually installed directly into each individual Chromebook as they cannot be distributed via the Google Admin console.

    • Alternatively, you can identify external devices by means of a Secure URL
    • Or by using the No identification (Open proxy) method. You should be aware that this method opens a port on the external interface.

What's Left To Do to setup Connect for Chromebooks?

What's Left To Do to Setup Google Sign-In on SSL Login Pages


Last updated: Author: Contributions by:
9th May 2017 Tanja Ehrhardt Samantha Nair