Web Proxy Authentication Scenarios

Article #: Product: Version:
KB-106 Guardian All


The following are high level examples of how you can configure Guardian to suit your organization’s authentication requirements.

New Content Filtering – Changing the Listening Port

Anna runs an Internet cafe. She is replacing her current content filter with Guardian because of its superior filtering. To avoid reconfiguring each workstation, she needs Guardian to listen on the same port as before, which was port 3128.

Anna goes to the Web proxy > Authentication > Manage policies page which shows the default configuration of no authentication on port 800. She clicks the Edit button on the entry displayed which takes her to the Web proxy > Authentication > Policy wizard page. On this page, all fields apart from interface and port are disabled. She changes the port to 3128 and saves her changes, and a message prompts her to restart Guardian.

Providing Filtered Web Access to the Public

Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian wants to provide filtered web access for a new conference center open to the public. He does not want delegates to need to configure a proxy in their browsers.

Brian configures Guardian to listen in transparent mode. On the Web proxy > Authentication > Policy wizard page, he selects Transparent and No authentication and leaves the other options at their defaults.

After adding this entry, on the Web proxy > Authentication > Manage policies page, he can see the new transparent authentication policy so he removes the default entry for port 800.

He then configures the firewall and DHCP servers on the network to route traffic through Guardian.

Requiring Authentication to Browse the Web

Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and shared PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest is responsible for web traffic in case of misuse. She wants a simple system which doesn’t require guests to register their wireless devices.

Charlotte creates a local user account for each room, with names like ‘room23’ and a random simple password. Guests are told the password for their room when they check in if they request Internet access, and the password is changed when they check out.

Charlotte then configures Guardian in transparent mode on the Web proxy > Authentication > Manage policies page by adding a new entry for Transparent and Redirect to SSL Login, leaving the other options at their defaults. She removes the entry for port 800 before restarting Guardian.

Using Multiple Authentication Methods

Donald is a college system administrator. His network contains Windows PCs, Apple Macs, and network points for student laptops. Donald wants to provide authentication across the network using single sign on wherever possible.

For Apple Macs, Donald creates a location on the Guardian > Policy objects > Locations page, which he names ‘Macs’. This location contains the IP address ranges assigned to Macs.

On the Web proxy > Authentication > Manage policies page, he edits the default entry for port 800, changing the authentication method to NTLM authentication. Then he adds a new entry, choosing IDENT authentication for the location ‘Macs’, moving it above the entry for NTLM on the Web proxy > Authentication > Manage policies page. Finally he adds an entry for the laptops for transparent connections and Redirect to SSL Login.

Using group policy and central admin tools, he configures the Windows PCs and Apple Macs to use Guardian, and installs an IDENT server on the Apple Macs. Windows and Mac users now authenticate to Guardian using their desktop login session, but laptop users are presented with the SSL Login screen when they browse.


Last updated: Author: Contributions by:
21st April 2017   SN