How do I filter my Google devices when external to the network?

Article #:




Connect for Chromebooks

Google Sign-In on SSL Login Pages

Glamis onwards


Your organization makes use of:

  • Connect for Chromebooks


  • Uses Google authentication with SSL login pages

and wants to apply filtering policies when network devices are taken off-site.


Additional configuration is required to set this up.


Smoothwall's Secure Global Proxy feature can be used to allow Google users (either by Connect for Chromebooks, or via an SSL / non-SSL login page) to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires the following:

You must be able to point an external domain name to your publicly facing external IP address
The Smoothwall must have a fully qualified hostname, which must resolvable both internally and externally
If you have a firewall between the Smoothwall and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall
An additional Guardian authentication policy — Non-transparent > Global Proxy using NTLM — with the following configuration:
Type — Non-transparent
Method — Global Proxy using NTLM
Interface — Select the internal network interface used for the Non-transparent > Core authentication policy created previously
Port — Select the relevant internal proxy port
Where — Everywhere
Options for unauthenticated requests — Choose the group configured for unauthenticated Chromebooks (see How do I allow Google services through my Smoothwall?
Ensure this policy is configured on the same interface as the Non-transparent – Core authentication policy — see
Set this supplementary policy directly below the Non-transparent > Core authentication policy created previously
Use Global proxy to identify the external device, and filter accordingly — go to Web proxy > Global proxy > Settings
We recommend using a Client supplied certificate to identify external devices.

Tip: With Connect for Chromebook devices, client-side certificates must be manually installed directly into each individual Chromebook as they cannot be distributed via the Google Admin console.

Alternatively, you can identify external devices by means of a Secure URL
Or by using the No identification (Open proxy) method. You should be aware that this method opens a port on the external interface.


What's Left To Do to setup Connect for Chromebooks?


What's Left To Do to Setup Google Sign-In on SSL Login Pages


Last updated:


Contributions by:

9th May 2017

Tanja Ehrhardt

Samantha Nair



Copyright © 2000-2018 Smoothwall All rights reserved.