Policy wizard

Use this page to create nontransparent and transparent authentication policies.

Navigation: Web Proxy > Authentication > Policy wizard.

Step 1: What
Type Either nontransparent or transparent authentication policies.
Method The authentication method.
Interface The interface on which to apply the authentication policy.
Port The port on which to apply the authentication policy.
Filter HTTPS traffic Transparently intercepts HTTPS traffic.
Behavior

When Filter HTTPS traffic is enabled, you must specify how Guardian handles HTTPS requests without a Server Name Indication (SNI). SNI provides the domain name for transparent HTTPS requests. Without this, only the IP address is known, making it difficult to distinguish genuine requests. From the Behavior drop-down, choose one of the following:

  • Block HTTPS traffic with no Server Name Indication (SNI) header
  • Allow Transparent HTTPS incompatible sites — HTTPS traffic that does not contain Server Name Indication (SNI), and whose originating IP address is listed in the Transparent HTTPS incompatible sites Standard category is allowed through without further filtering. All other HTTPS traffic without Server Name Indication (SNI) is blocked.
  • Filter using name from certificate — All HTTPS traffic that does not contain Server Name Indication (SNI) is filtered accordingly, based on the domain name taken from the destination server's certificate.
  • Note: Some certificates use wildcard characters in domain names, such as, *.google.com. Guardian treats these as normal characters. Therefore, they should be listed as such when used in categories.

  • Allow Transparent HTTPS incompatible sites and filter others using name from certificate — This is a combination of the previous two options: if the originating IP address is listed in the Transparent HTTPS incompatible sites category then HTTPS traffic is allowed through without further filtering, else the originating domain is taken from the server's certificate and traffic filtered accordingly.

However, it should be noted that some clients make HTTPS requests without Server Name Indication (SNI), such as, the Google Chrome updater, older versions of Google Drive, and Dropbox, so valid requests might be blocked.

Spoofing

Ensures that traffic leaving the Smoothwall has the source IP address of the client making the web requests, and not the IP address of the Smoothwall. For customers with multiple external connections, with spoofing you can use source NAT and link load balancing policies (see Using Source NAT and LLB Rules) to manipulate traffic to use specific links. For example, forcing students to use to use one link and teachers another, based on their source IP address.

Note: For networks that make use of multiple Guardians, such as, in a cluster, or centrally managed configuration, you should take steps to make sure that reply packets addressed to the spoofed client are routed back through to the same Smoothwall. This ensures that data is returned properly to the correct client.

Tip: If the Bandwidth module has been installed on your Smoothwall, you can control the bandwidth used by Guardian traffic, for example, limiting bandwidth available to your network with bring your own devices (BYOD). To take advantage of the full functionality of the Bandwidth module, you need a Layer 7 license.

Next Collapses the current section and expands the next section for you to complete.
Step 2: Where
Available locations The locations available for you to select.
Included locations The location at which the policy will apply.
Create a new location Opens the Locations page so that you can create a new location.
Next Collapses the current section and expands the next section for you to complete.
Back Collapses the current section and expands the previous section for you to review.
Step 3: Options for unauthenticated requests
Available groups The groups available for you to select.
Included groups The groups to apply the policy to. When requests are permitted without requiring authentication, for example, entries on the Exceptions page, the Smoothwall assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list.
Create a new group Opens the Groups page so that you can create a new group.
Enable Policy Indicates that your policy is turned on.
Confirm Saves your policy settings and opens a new page with a summary of your policy settings for review.
Cancel Opens the Manage policies page.

Read more

About the authentication policy wizard

Things you can do here

Creating authentication policies

Watch the video

Selecting an Appropriate Authentication Method

Something not right? .