How do I filter my Google devices when external to the network?

Article #: Product Castle
#

Connect for Chromebooks

Google Sign-In on SSL Login Pages

Glamis onwards

Summary

Your organization makes use of:

  • Connect for Chromebooks

or

  • Uses Google authentication with SSL login pages

and wants to apply filtering policies when network devices are taken off-site.

Problem

Additional configuration is required to set this up.

Solution

Smoothwall's Secure Global Proxy feature can be used to allow Google users (either by Connect for Chromebooks, or via an SSL / non-SSL login page) to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires the following:

  • You must be able to point an external domain name to your publicly facing external IP address
  • The Smoothwall must have a fully qualified hostname, which must resolvable both internally and externally
  • If you have a firewall between the Smoothwall and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall
  • An additional Guardian authentication policy — Non-transparent > Global Proxy using NTLM — with the following configuration:
    • Type — Non-transparent
    • Method — Global Proxy using NTLM
    • Interface — Select the internal network interface used for the Non-transparent > Core authentication policy created previously
    • Port — Select the relevant internal proxy port
    • Where — Everywhere
    • Options for unauthenticated requests — Choose the group configured for unauthenticated Chromebooks (see How do I allow Google services through my Smoothwall?
    • Ensure this policy is configured on the same interface as the Non-transparent – Core authentication policy — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm
    • Set this supplementary policy directly below the Non-transparent > Core authentication policy created previously
  • Use Global proxy to identify the external device, and filter accordingly — go to Web proxy > Global proxy > Settings
    • We recommend using a Client supplied certificate to identify external devices.
    • Tip: With Connect for Chromebook devices, client-side certificates must be manually installed directly into each individual Chromebook as they cannot be distributed via the Google Admin console.

    • Alternatively, you can identify external devices by means of a Secure URL
    • Or by using the No identification (Open proxy) method. You should be aware that this method opens a port on the external interface.

What's Left To Do to setup Connect for Chromebooks?

What's Left To Do to Setup Google Sign-In on SSL Login Pages

Attribution:

Last updated: Author: Contributions by:
9th May 2017 Tanja Ehrhardt Samantha Nair