How do I allow Google services through my Smoothwall?

Article #:

Product

Castle

#

Connect for Chromebooks

Google Sign-In on SSL Login Pages

Glamis onwards

Summary

Your organization makes use of:

  • Connect for Chromebooks

or

  • Uses Google authentication with SSL login pages

and wants to ensure that communication back to Google's servers is uninterrupted, and that all filtering policies are still applied to end-users.

Problem

You need to create additional filtering and access policies in the Smoothwall. This is especially important if your Google devices are used off-site.

Solution

Unauthenticated Chromebooks Group - For Connect for Chromebooks Users Only

Note: It is assumed that you already have created a group for other unauthenticated users.

From time to time, unauthenticated Chromebook users may attempt to browse the Internet. You can create a group where all such web requests are assigned, then create a Guardian authentication policy to either completely block access or only allow limited access (see below).

Typically, unauthenticated web requests are assigned to the Unauthenticated IPs group (see https://help.smoothwall.net/Latest/Content/modules/auth/cgi-bin/auth/groups.htm. If required, you can create a separate group to handle unauthenticated Chromebooks.

  1. On the Smoothwall, go to Services > Authentication > Groups.
  2. Configure a new group name for unauthenticated Chromebooks.

Tip: When creating a Guardian authentication policy, you are provided with options to configure the behavior for unauthenticated requests Typically, this is step 3. Specify the new Chromebooks group there. See below for additional authentication policies.

Guardian Authentication Policies

Guardian authentication policies are specific to your organization’s needs. These determine how user credentials are obtained from the browser before allowing the user to browse.

The following additional policies are required in the Web proxy > Authentication > Manage policies page of the Smoothwall administration user interface:

Note that this policy is available by default for new Guardian installations, so it may already be in place. If so, ensure that this policy is on the internal interface used by the Connect for Chromebooks extension, or the SSL / non-SSL login pages.

Set this policy as the first authentication method on the Smoothwall interface —see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authpolicy.htm.
  • An additional policy, Global Proxy using NTLM, is required to allow devices to be filtered when external to the network. A detailed description is available here.

Tip: Step 3 of the authentication policy wizard provides options for unauthenticated requests. If required, you can select the group created previously for unauthenticated Chromebooks and other unauthenticated Google users.

The resultant Authentication policy table should look something like this screenshot. In this example, the supplementary addition of the Global Proxy using NTLM policy has been configured for external proxy clients:

Guardian Authentication Exceptions

A Guardian authentication exception is used for those sites that users must be able to access without authenticating first, for example, those for automatic Microsoft Windows updates.

Your Smoothwall contains a Guardian category labeled Connect for Chromebooks. This category contains all Google websites necessary for Google user authentication, such as, single sign-on. These websites must be accessible for all Chromebook devices and those serving the SSL / non-SSL login pages with the Google Sign-In button.

You must create a Guardian authentication exception for the Connect for Chromebooks category — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authexceptions.htm.

Guardian Filtering Whitelist Policy

Categories that are whitelisted contain content that is not subjected to outgoing filtering or dynamic content analysis. You can create a whitelist policy to prevent unintentional blocking of listed websites.

Your Smoothwall contains a Guardian category labeled Connect for Chromebooks. This category contains all Google websites necessary for Google user authentication such as single sign-on. These websites must be accessible by all Chromebooks and those serving the SSL / non-SSL login pages with the Google Sign-In button.

You must create a Guardian whitelist policy for the Connect for Chromebooks category (see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/filteringpolicywiz.htm), with the following configuration:

  • Who — Everyone
  • What — Connect for Chromebooks
  • Where — Everywhere
  • When — Always
  • Action — Whitelist

Set the whitelist policy as the very first policy in the Web filter policies table on the Guardian > Web filter > Manage policies page — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/policies.htm.

Guardian HTTPS Do Not Inspect Policy

Guardian HTTPS inspection policies determine the Smoothwall's behavior when processing secure web traffic — that is, those web sites starting with HTTPS://. Do not inspect HTTPS policies do not intercept such traffic, for example, traffic to and from banking sites.

Your Smoothwall contains a Guardian category labeled Connect for Chromebooks. This category contains all Google websites necessary for Google user authentication such as single sign-on. The majority of these sites are HTTPS sites, but because they are necessary for Google user authentication, they do not need inspecting.

You must create a Guardian Do not inspect HTTPS policy for the Connect for Chromebooks category (see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/httpspolicywiz.htm), with the following configuration:

  • Who — Everyone
  • What — Connect for Chromebooks
  • Where — Everywhere
  • When — Always
  • Action — Do not inspect

Set the policy as the very first policy in the HTTPS inspection policies table on the Guardian > HTTPS inspection > Manage policies page .— see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/https.htm.

Allowing Access to Smoothwall Services

If you are using the Inverness release or above:

  • Add a Smoothwall access rule for the following services to the interface used by the Guardian authentication policies (if they do not already exist in Network > Firewall > Smoothwall access):
    • Other web access on HTTP (80)
    • Other web access on HTTPS (442)

If you are using the Hearst release or earlier:

  • Add the following external access rules to the interface used by the Guardian authentication policies (if they do not already exist in System > Administration > External access):
    • Other web access on HTTP (80)
    • Other web access on HTTPS (442)

Tip: If your Chromebooks are also used off-site, add external access rules for the two services but also on the External interface.

 

What's Left To Do to setup Connect for Chromebooks?

 

What's Left To Do to Setup Google Sign-In on SSL Login Pages

Attribution:

Last updated:

Author:

Contributions by:

9th May 2017

Tanja Ehrhardt

Samantha Nair

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.