HTTP proxy authentication

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

HTTP proxy authentication guide

Last adaption: 02.2023

New:

Layout adjustment

notempty

This article refers to a Resellerpreview

11.7

User authentication on the HTTP proxy

In addition to the transparent mode of the HTTP proxy, it is also possible that users must authenticate in advance for Internet use. This authentication can be performed either using the user management of the UTM or an authentication server such as Active Directory, LDAP or Radius.

To use authentication on the HTTP proxy, it is necessary to enter the proxy in the browser and make changes to the port filter settings.

Proxy setting in the browser

Proxy configuration in the browser

In the connection settings of the used browser, the IP address of the corresponding interface of the UTM can be entered under Manual proxy configuration

.

In addition, the port must be entered, which is set in the UTM under → Applications →HTTP-Proxy. When the UTM is delivered, this is port 8080.

In order for web pages accessed via HTTPS to be routed through the proxy as well, the function use this proxy server for all protocols must be enabled.

Port filter settings

UTM v12.2.4.1 Firewall Portfilterregeln für HTTP-Proxy-en.png

The UTM is shipped with a port filter rule set to allow access from the internal network to the Internet with all services (any).

Since users might get the idea to change the browser's proxy settings to bypass authentication, this rule should be disabled or an appropriate service group should be created instead of any for this rule.

Authentication via the user management of the UTM

Create proxy user group
First of all, a user group is needed. To do this, click on → Authentication →UsersTab Groups Button + Add Group.
Group name:	Proxy-Group	Choose a unique name No blank space may be used.
HTTP-Proxy:	On	Enable HTTP proxy function
Save		Saves the settings
If different proxy users are to be treated differently later, then additional groups can be created.

Create user
Next, under → Authentication →UsersTab + Add User must be clicked.			Edit group and enable HTTP proxy
Login name:	User1	Assign login name
Password:		Assign a secure password
Confirm password:		Re-enter password
Groups:	» ✕Proxy-Group	Select pre-set group
Save		Saves the settings
This process must be repeated for each user that is to be created. More information about user management can be found here.

Enable authentication in HTTP proxy
Authentication in the HTTP proxy can be enabled under → Applications →HTTP ProxyTab General.			Authentication method "Basic"
Authentication method:	Basic	Select method in drop-down menu
Save		Saves the settings

If now a browser (prepared as above) is started, an authentication prompt appears before the first web page that is called is displayed.			Authentication prompt

Authentication with Active Directory

First of all, it must be ensured that the UTM also finds the domain. Under → Network →Server Settings the localhost IP address can be entered in the section DNS Server.			Enter localhost IP address
Primary name server:	127.0.0.1	Enter localhost IP address

Then → Applications →NameserverTab Zones Button + Add Relay Zone must be called to create a new relay zone with the local domain and the IP address of the domain controller.			Add Relay Zone
Zone name:	securepoint.local	Select zone name
Type:	Realy	Select "Relay" type
+ Add server		Enter IP address and select port. Then Save
Save		Saves the settings

Connecting UTM to Active Directory
To be able to connect the UTM to the Active Directory, the → Authentication →AD/LDAP Authentication button must be clicked under Assistant. Afterwards the four steps of the assistant must run through.

Step 1: Directory type
Directory type:	AD - Active Directory	Select the Active Directory
Next		Continue to step 2

Step 2: Settings
IP or Hostname:	» ✕Idap.example.com	Choose name
Domain:	securepoint.local	Register domain
Workgroup:	securepoint	Preset
Appliance Account:	UTM	Preset
Next		Continue to step 3

Step 3: Nameserver
If this step has already been done, then the IP address is already preset. If not, the IP address can be entered via + Add Server.
Next		Continue to step 4

Step 4: Join
Administrator name:	Administrator	Choose name
Password:		Assign a secure password
Done		Completes the process

If everything worked correctly, the Connection status: now shows a green circle.

Create proxy user group for Active Directory
First of all, a user group is needed. To do this, click on → Authentication →UsersTab Groups Button + Add Group.
Group name:	Proxy-Group	Choose a unique name No blank space may be used.
HTTP-Proxy:	On	Enable HTTP proxy function
Save		Saves the settings
If different proxy users are to be treated differently later, then additional groups can be created.

Enable authentication in HTTP proxy for Active Directory
In order to enable authentication on the proxy, the authentication method must be set to NTLM/Kerberos under → Applications →HTTP ProxyTab General.			Authentication method NTLM/Kerberos
Authentication method:	NTLM/Kerberos	Select method in drop-down menu
Save		Saves the settings
The NTLM authentication method has the advantage that the proxy no longer asks for the username and password when the web browser is opened. In this case, authentication is already performed when the operating system is started with the login to the domain.