In addition to the transparent mode of the HTTP proxy, it is also possible that users must authenticate in advance for Internet use. This authentication can be performed either using the user management of the UTM or an authentication server such as Active Directory, LDAP or Radius.
To use authentication on the HTTP proxy, it is necessary to enter the proxy in the browser and make changes to the port filter settings.
Proxy setting in the browser
Proxy configuration in the browser
In the connection settings of the used browser, the IP address of the corresponding interface of the UTM can be entered under Manual proxy configuration
.
In addition, the port must be entered, which is set in the UTM under → Applications →HTTP-Proxy. When the UTM is delivered, this is port 8080.
In order for web pages accessed via HTTPS to be routed through the proxy as well, the function use this proxy server for all protocols must be enabled.
Port filter settings
The UTM is shipped with a port filter rule set to allow access from the internal network to the Internet with all services (any).
Since users might get the idea to change the browser's proxy settings to bypass authentication, this rule should be disabled or an appropriate service group should be created instead of any for this rule.
Authentication via the user management of the UTM
Create proxy user group
First of all, a user group is needed. To do this, click on → Authentication →UsersTab Groups Button + Add Group.
Group name:
Proxy-Group
Choose a unique name
No blank space may be used.
HTTP-Proxy:
On
Enable HTTP proxy function
Save
Saves the settings
If different proxy users are to be treated differently later, then additional groups can be created.
Create user
Next, under → Authentication →UsersTab + Add User must be clicked.
Edit group and enable HTTP proxy
Login name:
User1
Assign login name
Password:
Assign a secure password
Confirm password:
Re-enter password
Groups:
» ✕Proxy-Group
Select pre-set group
Save
Saves the settings
This process must be repeated for each user that is to be created. More information about user management can be found here.
Enable authentication in HTTP proxy
Authentication in the HTTP proxy can be enabled under → Applications →HTTP ProxyTab General.
Authentication method "Basic"
Authentication method:
Basic
Select method in drop-down menu
Save
Saves the settings
If now a browser (prepared as above) is started, an authentication prompt appears before the first web page that is called is displayed.
Authentication prompt
Authentication with Active Directory
First of all, it must be ensured that the UTM also finds the domain. Under → Network →Server Settings the localhost IP address can be entered in the section DNS Server.
Enter localhost IP address
Primary name server:
127.0.0.1
Enter localhost IP address
Then → Applications →NameserverTab Zones Button + Add Relay Zone must be called to create a new relay zone with the local domain and the IP address of the domain controller.
Add Relay Zone
Zone name:
securepoint.local
Select zone name
Type:
Realy
Select "Relay" type
+ Add server
Enter IP address and select port. Then Save
Save
Saves the settings
Connecting UTM to Active Directory
To be able to connect the UTM to the Active Directory, the → Authentication →AD/LDAP Authentication button must be clicked under Assistant. Afterwards the four steps of the assistant must run through.
Step 1: Directory type
Directory type:
AD - Active Directory
Select the Active Directory
Next
Continue to step 2
Step 2: Settings
IP or Hostname:
» ✕Idap.example.com
Choose name
Domain:
securepoint.local
Register domain
Workgroup:
securepoint
Preset
Appliance Account:
UTM
Preset
Next
Continue to step 3
Step 3: Nameserver
If this step has already been done, then the IP address is already preset. If not, the IP address can be entered via + Add Server.
Next
Continue to step 4
Step 4: Join
Administrator name:
Administrator
Choose name
Password:
Assign a secure password
Done
Completes the process
If everything worked correctly, the Connection status: now shows a green circle.
Create proxy user group for Active Directory
First of all, a user group is needed. To do this, click on → Authentication →UsersTab Groups Button + Add Group.
Group name:
Proxy-Group
Choose a unique name
No blank space may be used.
HTTP-Proxy:
On
Enable HTTP proxy function
Save
Saves the settings
If different proxy users are to be treated differently later, then additional groups can be created.
Enable authentication in HTTP proxy for Active Directory
In order to enable authentication on the proxy, the authentication method must be set to NTLM/Kerberos under → Applications →HTTP ProxyTab General.
Authentication method NTLM/Kerberos
Authentication method:
NTLM/Kerberos
Select method in drop-down menu
Save
Saves the settings
The NTLM authentication method has the advantage that the proxy no longer asks for the username and password when the web browser is opened. In this case, authentication is already performed when the operating system is started with the login to the domain.