In this page you find:
New in version 3.0.5: A few options to improve the HTTP proxy capabilities and its interaction with policy routing and firewall rules.
The HTTP proxy employed in the Endian UTM Appliance is squid, whose primary ability is to cache web requests to speed up future requests of the same page, though it has many more functionalities that allows its seamless integration with the other services described in the remainder of this section. The HTTP proxy settings page is composed of six tabs that organise a myriad of options: Configuration, Access Policy, Authentication, Web Filter, AD join, and HTTPS Proxy.
A click on the Enable HTTP Proxy switch enables the HTTP proxy. After some seconds, necessary to start all required services, a number of controls appear in the Configuration tab, grouped into six panels: Each panel has a title, followed by a ? that shows a tooltip, and can be expanded or collapsed by clicking on the or icons located on the left of the labels.
Transparent and Non Transparent Proxy.
A transparent proxy is a proxy system combined with a gateway: Besides retrieving and caching resources, a transparent proxy allows to carry out many useful operations on the web page or resource that the client is requesting: To filter its contents, to scan it and look for viruses, or even to block information, combining different services running on the gateway. Moreover, all these activities are accomplished without requiring the user to configure in any way the client she is using.
Non-transparent proxies on the contrary, rely on the collaboration of the client to be used (e.g., configuring the proxy settings on the web browser), requiring that the user specify by hand the location of the proxy in the setting of the browser, or she will not be able to access the Internet.
See also
The configuration of a transparent proxy is explained in this tutorial.
Note
In the New Mini Arm the Cache management panel (see further on) does not appear, therefore some of the option described here will not be available .
The first setting is to select from a drop-down menu how the users in each enabled zone -GREEN, ORANGE, BLUE- can access the proxy (No drop-down menu is available for non-enabled zones):
This configuration is very similar to the previous option, with the only difference that every packet that leaves the proxy keeps some of the client’s original information: Its IP address, plus the zone and interface from which the traffic originated.
New in version 3.0.5.
Note
Some browsers, including Internet Explorer and Firefox, are
able to automatically detect proxy servers by using the
WPAD. Most browsers also support PAC, through a special
URL. When using an Endian UTM Appliance as the proxy server, the URL looks
like this: http://<GREENIP>/proxy.pac
.
Disabling HTTP proxy per zone
To disable completely the proxy for a certain zone, the zone’s proxy must be set to transparent and the zone’s subnet (whose value can be found in
) must be added to the Bypass transparent proxy from SUBNET/IP/MAC field that shows up when expanding the Bypass transparent proxy panel.In the Proxy settings panel there are some global configuration options for the proxy services:
This is an option that affects all the zones that are configured as non-transparent mode. When ticked, this option allows all the packets coming from the proxy to keep some information of the client: Its IP address, plus the zone and interface from which the traffic originated.
New in version 3.0.5.
Note
Since cache management is not available in the Mini appliance, the cache admin e-mail address is not present on those appliances.
Configuration option for the ports the clients are allowed to use when browsing:
Configuration option to enable the logging facility and choosing what to log.
?id=123
)In this panel some exception to the transparent proxy (see also above) can be defined, i.e., which sources (i.e., clients) and destinations (i.e., remote servers) should be ignored by the proxy, even if it is enabled in that zone.
The destinations that are not subject to the transparent proxy.
Hint
Use CIDR notation to enter subnets.
Configuration options for the space occupied on disk by the cache and the size of the objects stored.
Note
Objects whose size does not fall within the above defined ranges will never be stored on disk, but downloaded each time they are requested by some client.
When this option is enabled (i.e., the checkbox is ticked), the proxy will never try to update cached objects from the upstream web server - clients can then browse cached, static websites even after the uplink went down.
Warning
This option proves useful to surf the Internet while the uplink is down, if the page requested has been cached before. However, this option may cause some trouble when trying to refresh a page, even with a working uplink, since the HTTP proxy would always serve the cached page. The only possibility to have a refreshed copy of a web page is in this case to clear the cache of the proxy server.
If there is another proxy server in the LAN, it can be contacted before actually requesting the original resource. This panel contains configuration options for the connection between the Endian UTM Appliance and the upstream proxy.
The accesses policies are applied to every client that is connecting through the proxy, regardless of its authentication. An access policy rule is a time-based scheme that permits or prohibits accesses depending on diverse parameters about the user (e.g., the source or destination of the traffic), and the client used or the content downloaded (e.g., the user agent, the mime types, virus scanning, and content filtering).
A list of the already defined rules is displayed on the page. Any rule can specify if the web access is blocked or allowed, and in the latter case a filter type can be activated and selected. The table carries the following information for every rule listed therein: The progressive identification number (#), the name (``), the source and destination interested, the authentication type, if required, the periods in which is active, the user agents matched, and the available actions:
To add a new access policy rule, simply click on Add Access policy: A form will open, in which to configure all the parameters:
The type of authentication to apply to the clients. It can be disabled, in which case no authentication is required, group based or user based. One or more users or groups, to which to apply the policy, can then be selected among the existent ones from the list that will show up.
Hint
Authentication is only local, hence before being able to use it, at least one user or group must be created in the Authentication tab.
Select one ore more days of the week.
Hint
To select two or more days, hold the CTRL
keys
and click the mouse button on the name of the day.
A list of the MIME types of incoming files that should be blocked, one per line. MIME types can only be blocked (i.e., blacklisted) but not allowed (i.e., whitelisted), therefore this option is only available in Deny access policies. This option allows to block any files not corresponding to the company policy (e.g., multimedia files).
The available actions allow to change priority, edit, enable/disable or delete each rule from the list of rules.
The Endian UTM Appliance‘s proxy supports four different authentication types, that are shown in the drop-down menu at the top of the page: Local Authentication (NCSA), LDAP (v2, v3, Novell eDirectory, AD), Windows Active Directory (NTLM) and RADIUS. The NCSA type stores the access credentials on the Endian UTM Appliance, whereas the other methods rely on an external server: In those cases it is mandatory to provide all the necessary information to access that server.
Underneath the drop-down menu from which to select the authentication type, two panels are present. The one above, Authentication settings contains common configuration items, while the one below changes upon the selection of the authentication type, presenting the settings that are peculiar to each method.
The common items that can be configured in this panel are:
The text shown in the authentication dialog and used as the realm of kerberos or winbind when joining an Active Directory Domain. When Windows Active Directory is used for authentication, the FQDN of the PDC should be used.
Hint
If the server name is localauth
and the domain
name is example.org
, the FQDN is
localauth.example.org
.
Once the common configuration form have been filled in, depending on the authentication type chosen it is possible to configure the specific settings for the authentication type selected. Local Authentication (NCSA), Windows Active Directory (NTLM), LDAP (v2, v3, Novell eDirectory, AD), RADIUS.
When clicking on the manage users button the management GUI for the users is opened, which consists of a simple list of the existing users, if any was created, and of an Add NCSA user link to add more users. A user is added by entering username and password in the form, and can later be either edited or deleted.
Hint
The password shall be at least 6 characters long.
When clicking on the manage groups button the management GUI for the groups is opened which consists of a simple list of the existing groups and their members, if any was created, and of an Add NCSA group link to add more groups. A group is created by entering a group name and selecting one or more users that should belong to that group. A user may belong to more than one group.
Warning
While the same user can be legally part of one or more groups, care must be taken that the the groups the user belongs to do not define contrasting access policies. As an example, consider a user member of two groups, one with the policy to allows access to the website www.example.org, while the second group’s policy blocks the access to that web page. In this case, it is not easy to predict whether that user will be granted or not access to the site www.example.org. The management of these issues is left to the designer of the access policies.
Requirements for the use of NTLM.
In order to be able to use Windows’ native authentication with active directory (NTLM), a few conditions must be satisfied:
Hint
The Endian UTM Appliance clock can be synchronised with the clock of the Active Directory server by issuing the following command from the shell:
net time set -S IP_OF_AD_SERVER
See also
The setup of a realm using NTLM authentication is described in this tutorial.
NTLM authentication with Windows Vista and Windows 7.
The HTTP Proxy in the Endian UTM Appliance uses negotiated NTLMv2, while both Windows Vista and Windows 7 allow by default only straight NTLMv2. As a result, a client installing those operating systems may fail to authenticate to the HTTP proxy even when supplying the correct credentials. The following changes to the client configuration are required to correctly authenticate:
- (run as administrator)
- Go to:
- Find the configuration option Network Security: LAN MANAGER Authentication Level
- Select the value “Send LM * NTLM - use NTLMv2 session security if negotiated”
After applying these changes the client browser should correctly authenticate using the AD Login Name / Credentials for the HTTP Proxy.
The Endian UTM Appliance‘s content filter abilities are based on the Cyren URL filtering solution, that uses two filtering techniques which can be defined per filter profile.
The first one consists of an advanced method of web pages categorisation, based on their content, while the second method uses a combination of white- and blacklists URLs and domains: All the URLs requested by a client are looked up in this list and are only served if they are found in the whitelist.
Note
If the system has not yet been registered to Endian Network, the URL filter lists can not be downloaded. In this case, an informative message appears: By clicking on it, the registration form will open.
A profile is needed to be able to use the content filter. There is a Default profile available, which allows access to every web page and shall not be deleted. Additional profiles, that are needed in the definition of an Access policy, can easily be created. Hence, an access policies requiring a specific profile can be created only after that profile.
On the page, there is a list of the existing profiles, accompanied by a remark and by the available actions:
Above the table, there is a Create a profile link: When clicked, the link is replaced by the Profile Editor, that is used to configure a new profile, with the list of existing profiles shifting to the bottom of the page. The following settings can be defined:
In this section it is possible to enable the SafeSearch Enforcement functionality for the supported search engines. At the moment these are:
SafeSearch Enforcement
With the standard web filtering functionality it is already possible to filter inappropriate web sites for children or students. However, this does not affect results such as preview images that are coming from the search engines.
Since search engines are caching images it is impossible to know from which website they are coming and therefore they cannot be blocked based on their category. To still be able to block inappropriate or offensive content many search engines include a SafeSearch functionality that, when enabled, will simply not include these results.
When using SafeSearch Enforcement this behaviour is being enforced for the selected search engines regardless of the user’s personal settings.
Since most search engines today are automatically using HTTPS it is necessary to enable the HTTPS Proxy.
The next settings come in form of panels, that can be expanded or collapsed by clicking on the or icons to the left of their title. On the far right, a small arrow shows if the contained items are all, none, or partially allowed. Those arrows can be clicked to quickly toggle the status of all the contained items.
The categories to activate for applying the content filter. Each category contains additional sub-categories, that can be individually allowed or not. A green arrow means that the (sub-)category’s items are used for content filter, while a icon means that those items are not used. A icon near the category name shows that only some of the sub-categories within it are used for content filtering.
Here personalised lists of web pages can be added as always allowed (whitelist), i.e., they will always be served to the clients, or denied (blacklist), i.e., they will never be served to the clients.
Content filtering may cause both false positives and false negatives, hence list domains that should always be blocked or allowed can be entered here. This policy will be applied regardless of the results of the content filter’s analysis.
In this section it is possible to supply the credentials required to join the Active Directory Server, an operation that is only possible if in the Authentication tab the option Windows Active Directory (NTLM) has been selected.
New in version 3.0.5: An option to forward all HTTPS traffic to an upstream proxy.
In this page it is possible to configure the proxy server for the scan of SSL-encrypted traffic, i.e., traffic through the 443 port. When enabled, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP requests. The only difference is that for HTTPS requests, an ‘intermediate’ certificate is needed for the client to connect via HTTPS to the Endian UTM Appliance, which then can deliver the request, retrieve the remote resource, control it, and then send it to the client who requested it.
There are three available settings in this page, divided in two parts: The first one allows the set up the HTTPS proxy, whereas the second one is used to manage the Endian UTM Appliance‘s certificate.
When this option is used, the HTTPS traffic will be managed directly by the upstream proxy, otherwise it is managed by the Endian UTM Appliance.
Note
This option only works if an upstream proxy has been defined in the upstream proxy (See ).
To activate the HTTPS proxy, click on Save and wait a few seconds.
The lower part can be used to either upload a certificate that will be used by the Endian UTM Appliance or to generate a new one, that will replace the one already present, if any.
After the certificate has been uploaded or created, a new option in the form of a hyperlink will appear next to the Upload proxy certificate label: