When to use non-transparent authentication policies

Article #:

Product:

Version:

KB-113

Guardian

All

Summary:

This article provides guidance for when a non-transparent authentication policy (Web proxy > Authentication > Policy wizard)would be suitable.

FULL DESCRIPTION:

Non-transparent connections from users’ web browsers to Guardian are suitable when content is accessed using HTTPS or when using NTLM or proxy authentication or identification in terminal services compatibility mode.

Connecting to Guardian non-transparently entails configuring users’ web browsers to use Guardian as the web proxy using one of the following methods:

Manually – Web browser LAN settings are manually configured, see Creating a Non-transparent Connection Manually for more information
Automatic configuration script – Web browser LAN settings are configured to receive proxy configuration settings from an automatic configuration script which is generated by Guardian, see Configuring Non-transparent Connections Using a PAC Script for more information
WPAD automatic script – Web browser LAN settings are configured to detect proxy settings, see Configuring a Non-transparent Connection Using a WPAD Automatic Script for more information.

Creating a Non-transparent Connection Manually

Note: The following instructions apply to Internet Explorer 7. For information about other browsers, refer to the documentation delivered with the browsers.

To create a non-transparent connection manually:

1. On users’ computers, start Internet Explorer, and from the Tools menu, select Internet Options.
2. On the Connections tab, click LAN settings.
3. In the Automatic configuration area, check that Automatically detect settings and Use automatic configuration script are not selected.
4. In the Proxy server area, select Use a proxy serverfor your LAN …
5. Enter Guardian's IP address and port number 800 and select Bypass proxy server for local addresses.
6. Click Advanced to access more settings. In the Exceptions area, enter Guardian’s IP address and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki.
7. Click OK and OK to save the settings.

Configuring Non-transparent Connections Using a PAC Script

A proxy auto-config (PAC) script is a file generated by Guardian. Once configured, any changes to connections are automatically retrieved by the user’s web browser. For information about working with PAC scripts, see our help topic Using PAC Scripts .

Note: The following instructions apply to Internet Explorer 7. For information about other browsers, see the documentation delivered with the browsers.

To configure a non-transparent connection using a PAC script:

1. On the user’s computer, start Internet Explorer, and from the Tools menu, select Internet Options.
2. On the Connections tab, click LAN settings.
3. Configure the settings as follows:
Automatically detect settings — Deselect this option.
Use automatic configuration script — Select this option.
Address — Enter the address of the script.

Tip: To locate the address, go to the Smoothwall user interface's Web proxy > Web proxy > Settings page. The address is listed in the Automatic configuration script address area.

4. Ensure that no other proxy settings are enabled or have entries.

Note: You may need to restart the web browser for the settings to take effect.

Configuring a Non-transparent Connection Using a WPAD Automatic Script

Note: This method is only for administrators familiar with configuring web and DNS servers. End-user browsers must support WPAD – the latest versions of Microsoft Internet Explorer support this method.

The WPAD method works by the web browser pre-pending the hostname wpad to the front of its fully qualified domain name and looking for a web server on port 80 that can supply a wpad.dat file. The file works in the same way as the automatic configuration script and tells the browser what web security policy it should use.

To use WPAD:

1. Configure your network to use Guardian as the network web proxy. Consult your network documentation for more information about how to do this.
2. Using a local DNS server or Guardian’s static DNS, add the host 'wpad.YOURDOMAINNAME' substituting your own domain name. The host must resolve to Guardian’s IP address.
3. Configure users’ browsers to automatically detect LAN settings.

Attribution:

Last updated:

Author:

Contributions by:

9th March 2016

 

SN

 

Copyright © 2000-2016 Smoothwall All rights reserved.