Jump to:navigation, search
Wiki

HTTP proxy authentication

From Securepoint Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht























































































HTTP proxy authentication guide

Last adaption: 02.2023

New:
  • Layout adjustment
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 → Anwendungen →HTTP-Proxy


User authentication on the HTTP proxy

In addition to the transparent mode of the HTTP proxy, it is also possible that users must authenticate in advance for Internet use. This authentication can be performed either using the user management of the UTM or an authentication server such as Active Directory, LDAP or Radius.

To use authentication on the HTTP proxy, it is necessary to enter the proxy in the browser and make changes to the port filter settings.



Proxy setting in the browser

Proxy configuration in the browser

In the connection settings of the used browser, the IP address of the corresponding interface of the UTM can be entered under Manual proxy configuration

.

In addition, the port must be entered, which is set in the UTM under → Applications →HTTP-Proxy. When the UTM is delivered, this is port 8080.

In order for web pages accessed via HTTPS to be routed through the proxy as well, the function use this proxy server for all protocols must be enabled.



Port filter settings

The UTM is shipped with a port filter rule set to allow access from the internal network to the Internet with all services (any).

Since users might get the idea to change the browser's proxy settings to bypass authentication, this rule should be disabled or an appropriate service group should be created instead of any for this rule.



Authentication via the user management of the UTM

Create proxy user group

First of all, a user group is needed.
To do this, click on → Authentication →UsersTab Groups Button + Add Group.
Group name: Proxy-Group Choose a unique name
 No blank space may be used.
HTTP-Proxy: On Enable HTTP proxy function
Save Saves the settings
If different proxy users are to be treated differently later, then additional groups can be created.

Create user

Next, under → Authentication →UsersTab + Add User must be clicked.
Edit group and enable HTTP proxy
Login name: User1 Assign login name
Password:     Assign a secure password
Confirm password:     Re-enter password
Groups: »Proxy-Group Select pre-set group
Save Saves the settings
This process must be repeated for each user that is to be created.
More information about user management can be found here.

Enable authentication in HTTP proxy

Authentication in the HTTP proxy can be enabled under → Applications →HTTP ProxyTab General.
Authentication method "Basic"
Authentication method: Basic Select method in drop-down menu
Save Saves the settings
If now a browser (prepared as above) is started, an authentication prompt appears before the first web page that is called is displayed.
Authentication prompt


Authentication with Active Directory

First of all, it must be ensured that the UTM also finds the domain.
Under → Network →Server Settings the localhost IP address can be entered in the section DNS Server.
Enter localhost IP address
Primary name server: 127.0.0.1 Enter localhost IP address
Then → Applications →NameserverTab Zones Button + Add Relay Zone must be called to create a new relay zone with the local domain and the IP address of the domain controller.
Add Relay Zone
Zone name: securepoint.local Select zone name
Type: Realy Select "Relay" type
+ Add server Enter IP address and select port.
Then Save
Save Saves the settings

Connecting UTM to Active Directory

To be able to connect the UTM to the Active Directory, the → Authentication →AD/LDAP Authentication button must be clicked under Assistant. Afterwards the four steps of the assistant must run through.
Step 1: Directory type
Directory type: AD - Active Directory Select the Active Directory
Next Continue to step 2
Step 2: Settings
IP or Hostname: »Idap.example.com Choose name
Domain: securepoint.local Register domain
Workgroup: securepoint Preset
Appliance Account: UTM Preset
Next Continue to step 3
Step 3: Nameserver
If this step has already been done, then the IP address is already preset.
If not, the IP address can be entered via + Add Server.
Next Continue to step 4
Step 4: Join
Administrator name: Administrator Choose name
Password:     Assign a secure password
Done Completes the process
If everything worked correctly, the Connection status: now shows a green circle.

Create proxy user group for Active Directory

First of all, a user group is needed.
To do this, click on → Authentication →UsersTab Groups Button + Add Group.
Group name: Proxy-Group Choose a unique name
 No blank space may be used.
HTTP-Proxy: On Enable HTTP proxy function
Save Saves the settings
If different proxy users are to be treated differently later, then additional groups can be created.

Enable authentication in HTTP proxy for Active Directory

In order to enable authentication on the proxy, the authentication method must be set to NTLM/Kerberos under → Applications →HTTP ProxyTab General.
Authentication method NTLM/Kerberos
Authentication method: NTLM/Kerberos Select method in drop-down menu
Save Saves the settings
The NTLM authentication method has the advantage that the proxy no longer asks for the username and password when the web browser is opened. In this case, authentication is already performed when the operating system is started with the login to the domain.
Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/HTTP_Proxy-Authentifizierung_02.2023&oldid=89560"