How do I filter my Google devices when external to the network?

Article #:

Product

Castle

#

Connect for Chromebooks

Google Sign-In on SSL Login Pages

Glamis onwards

Summary

Your organization makes use of:

  • Connect for Chromebooks

or

  • Uses Google authentication with SSL login pages

and wants to apply filtering policies when network devices are taken off-site.

Problem

Additional configuration is required to set this up.

Solution

Smoothwall's Secure Global Proxy feature can be used to allow Google users (either by Connect for Chromebooks, or via an SSL / non-SSL login page) to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires the following:

You must be able to point an external domain name to your publicly facing external IP address
The Smoothwall must have a fully qualified hostname, which must resolvable both internally and externally
If you have a firewall between the Smoothwall and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall
An additional Guardian authentication policy — Non-transparent > Global Proxy using NTLM — with the following configuration:
Type — Non-transparent
Method — Global Proxy using NTLM
Interface — Select the internal network interface used for the Non-transparent > Core authentication policy created previously
Port — Select the relevant internal proxy port
Where — Everywhere
Options for unauthenticated requests — Choose the group configured for unauthenticated Chromebooks (see How do I allow Google services through my Smoothwall?
Ensure this policy is configured on the same interface as the Non-transparent – Core authentication policy — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm
Set this supplementary policy directly below the Non-transparent > Core authentication policy created previously
Use Global proxy to identify the external device, and filter accordingly — go to Web proxy > Global proxy > Settings
We recommend using a Client supplied certificate to identify external devices.

Tip: With Connect for Chromebook devices, client-side certificates must be manually installed directly into each individual Chromebook as they cannot be distributed via the Google Admin console.

Alternatively, you can identify external devices by means of a Secure URL
Or by using the No identification (Open proxy) method. You should be aware that this method opens a port on the external interface.

 

What's Left To Do to setup Connect for Chromebooks?

 

What's Left To Do to Setup Google Sign-In on SSL Login Pages

Attribution:

Last updated:

Author:

Contributions by:

9th May 2017

Tanja Ehrhardt

Samantha Nair

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.