HTTP proxy authentication guide
Last adaptation to the version: 14.1.1 (11.2025)
New:
- Anpassung an die neuen HTTP Proxy Profile
- Updated to Redesign of the webinterface
notempty
This article refers to a Beta version
User authentication on the HTTP proxy
In addition to the transparent mode of the HTTP proxy, it is also possible to require users to authenticate themselves before using the Internet.
This authentication can be performed either against the UTM user management or an authentication server such as Active Directory, LDAP, or Radius.
Requirements for authentication on the HTTP proxy:
- The proxy has been entered in the browser
- The packet filter settings have been adjusted accordingly
Proxy setting in the browser
In the connection settings of the used browser, the IP address of the corresponding interface of the UTM can be entered under Manual proxy configuration.
In addition, the port must be entered, which is set in the UTM under .
notempty
This can be done either in the global profile or an optional additional profile. When the UTM is delivered, this is port 8080.
New as of v14.1.1
Packet filter settings
Call in menu
The UTM is shipped with a packet filter rule set to allow access from the internal network to the Internet with all services (any).
Users could potentially change the browser's proxy settings to bypass authentication.
Therefore,
- this rule should be “disabled” or, alternatively,
- a corresponding service group should be created for this rule that replaces any
| # | Source | Destination | Service | NAT | Action | Active | UTMuser@firewall.name.fqdnFirewall  Package Filter settings for HTTP proxy authentication
| ||
 |
 internal-network |
 internet |
 any |
HN | Accept | Off | |||
|
internal-network |
 internal-interface |
 proxy |
Accept | On | ||||
More information on the packet filter rules can be found here.
Authentication via the user management of the UTM
Create proxy user groupCall in menu | |||
|
Groups | |||
UTMuser@firewall.name.fqdnAuthentication  Benutzergruppe hinzufügen
| |||
| Click on the Add group button to create a user group | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnAuthenticationUser  Create user group
|
|---|---|---|---|
| Group name: | Proxy-Group | Choose a unique group name | |
| HTTP-Proxy: | On | Enable HTTP proxy function | |
| Save and close | Saves the settings and closes the dialog | ||
Create user | |||
|
User |
UTMuser@firewall.name.fqdnAuthentication  Add user
| ||
| Click on the Add user button. A new dialog box opens. | |||
| Login name: | User1 | Assign login name | UTMuser@firewall.name.fqdnAuthenticationUser  Edit group and enable HTTP proxy
|
| Password: | ••••••••••••••••••• | Assign a secure password | |
| Expiration date | 2028-01-05 00:00:00 | Optional: Specify when the password should expire | |
| Confirm password: | ••••••••••••••••••• | Re-enter password | |
| Groups: | »Proxy-Group | Select pre-set group | |
| Save and close | Saves the settings and closes the dialog | ||
| This process must be repeated for each user that is to be created. More information about user management can be found here. | |||
Enable authentication in HTTP proxy | |||
| Call in menu notempty Selecting the profile. Here, you can either select the default profile global or another profile that you have created yourself
New as of v14.1.1 |
UTMuser@firewall.name.fqdnApplications  Selection of the HTTP proxy profile
| ||
| Authentication method: | Select method in drop-down menu | UTMuser@firewall.name.fqdnApplicationsHTTP Proxy  Authentication method "Basic"
| |
| Save | Saves the settings | ||
| If now a browser (prepared as above) is started, an authentication prompt appears before the first web page that is called is displayed. |  | ||
Authentication with Active Directory
| Call in menu DNS-Server First, make sure that the UTM can find the domain. To do this, enter the localhost IP address |
UTMuser@firewall.name.fqdnNetwork  Enter localhost IP address
| |||
| Primary name server: | 127.0.0.1 | Enter localhost IP address | ||
| Save | Saves the settings | |||
| Call in menu Zones | ||||
| Then Area Zones button must be called to create a new relay zone with the local domain and the IP address of the domain controller. | UTMuser@firewall.name.fqdnApplications  Click on the Add Relay Zone button.
| |||
| Zone name: | securepoint.local | Select zone name | UTMuser@firewall.name.fqdnApplicationsName Server  Add Relay Zone
| |
| Type: | Select Relay type | |||
| Click on the button. A new dialog box opens | ||||
| IP address: | 192.168.175.5 | Enter IP address | UTMuser@firewall.name.fqdnApplicationsName ServerAdd Relay Zone  Add Server
|
|
| Port: | 53 | Select DNS port. Default: 53. If you do not specify a port, port 53 is set automatically. | ||
| Save and close | Saves the settings and closes the dialog | |||
| Save and close | Clicking the button saves the settings for the server. | |||
| The relay zone server securepoint.local has been created | UTMuser@firewall.name.fqdnApplicationsName Server  The relay zone server securepoint.local
| |||
Connecting UTM to Active Directory | ||||
| Call in menu | ||||
| Clicking the button starts the wizard. | ||||
Step 1: Directory type
| ||||
| Directory type: | Select the Active Directory | UTMuser@firewall.name.fqdnAuthenticationAD/LDAP Authentication  AD/LDAP Authentication Wizard Step 1
| ||
| Continue to step 2 | ||||
Step 2: Settings
| ||||
| IP or Hostname: | »ldap.ttt-point.de | Choose name |
 | |
| Domain: | securepoint.local | Register domain | ||
| Workgroup: | securepoint | Preset | ||
| Appliance Account: | UTM | Preset | ||
| Continue to step 3 | ||||
Step 3: Nameserver
| ||||
| If this step has already been done, then the IP address is already preset. If not, the IP address can be entered via . |
 | |||
| Continue to step 4 | ||||
Step 4: Join
| ||||
| Administrator name: | Administrator | Choose name |  | |
| Password: | ••••••••••••••••••• | Assign a secure password | ||
| Completes the process | ||||
| Status | ||||
| Connection status: | The connection has been successfully established | UTMuser@firewall.name.fqdnAuthentication  AD/LDAP Authentication Completed
| ||
Create proxy user group for Active Directory | ||||
| UTMuser@firewall.name.fqdnAuthentication Benutzergruppe hinzufügen
| ||||
| Click on the Add group button to create a user group | ||||
| Group name: | Proxy-Group | Choose a unique group name |
UTMuser@firewall.name.fqdnAuthenticationUser
| |
| HTTP-Proxy: | On | Enable HTTP proxy function | ||
| Save and close | Saves the settings and closes the dialog | |||
Enable authentication in HTTP proxy for Active DirectoryCall in menu | ||||
| Selecting the profile. Here, you can either select the default profile global or another profile that you have created yourself | UTMuser@firewall.name.fqdnApplications Selection of the HTTP proxy profile
| |||
| General
|
UTMuser@firewall.name.fqdnApplicationsHTTP Proxy  Authentication method NTLM/Kerberos
| |||
| Authentication method: | Select method in drop-down menu | |||
| Save | Saves the settings | |||
The NTLM authentication method has the advantage that the proxy no longer asks for the username and password when the web browser is opened. In this case, authentication is already performed when the operating system is started with the login to the domain. | ||||