Jump to content


Photo

Questions on iOS global proxy and Web Filter authentication

authentication global proxy proxy

  • Please log in to reply
6 replies to this topic

#1 Steve Kellogg

Steve Kellogg
  • Members
  • 5 posts

Posted 22 October 2015 - 07:05 AM

I apologize for the lengthy post - I'm not sure how to pare it down and be clear.

 

I'm using a Web Filter 410 to provide content filtering for 200 iPads.  I'm not able to use the Barracuda Safe Browser for a couple of reasons, so I've pushed out a configuration profile to the iPads to use the Web Filter as a global proxy.  I'm currently using a captive web portal to force users to authenticate.  I initially made the mistake of not requiring authentication and it didn't take long for the world to start using my open proxy.

 

My problem is that some users are having trouble with the captive web portal from their home WiFi or from hotels and other locations.  My question is whether I can still require authentication without using the captive web portal - I can include generic authentication credentials in the global proxy configuration on the iPads (i.e. one user name and password for all the devices - not good for seeing who's doing what but at least it would solve the problems several users are encountering with the captive web portal).

 

I hope I've explained my situation clearly enough.  If anyone knows how if I can accomplish proxy authentication without the captive web portal I'd be grateful to hear from you.

 

Thanks,

 

Steve

 

 



#2 Cole Tarbet

Cole Tarbet
  • Members
  • 50 posts
  • LocationUtah, USA

Posted 22 October 2015 - 10:48 AM

I would take a quick look at what is being blocked for the users who are having problems with the captive portal.

 

It may be that you can allow specific URLs for the Unauthenticated access level in order to get them to the point where they can log in... for example, if a hotel has their own capture page from Verizon or Comcast or whatever.

 

Also, my 410 will not show the login page when an SSL site is requested so I have to train users to start with a non-secure page... msn.com, cnn.com, etc.



#3 Cole Tarbet

Cole Tarbet
  • Members
  • 50 posts
  • LocationUtah, USA

Posted 22 October 2015 - 10:50 AM

I can't find a source, but I have it in my head that you are supposed to install the Safe Browser even if users don't actively use it.



#4 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 22 October 2015 - 11:13 AM

Hi Steve,

 

1.) You can setup an authentication service under the Users tab so all users require separate logins which you can then create policies and alerts for if needed. This also prevents your web filter from being used as an open proxy .

 

Here is an article on authentication: https://techlib.barr.../ChooseAuthType

 

2.) Then you can setup the proxy service to work with or without needing the captive portal

 

 

LEt us know if you have more questions!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#5 Steve Kellogg

Steve Kellogg
  • Members
  • 5 posts

Posted 22 October 2015 - 11:23 AM

Thanks to everyone for the suggestions.  I will look into these and see what i can come up with.

 

I really appreciate the help!

 

Steve



#6 Steve Kellogg

Steve Kellogg
  • Members
  • 5 posts

Posted 22 October 2015 - 11:31 AM

I've got LDAP set up for clients to authenticate against AD.  I was using this when I was able to use the Safe Browser and it worked fine.  If I use the proxy service without the web portal I don't understand how the clients would pass their credentials to the LDAP server - would they be presented with a login window?  I've got the global proxy for the iPads configured through a profile pushed out through MDM, so the manual proxy options in the iPad settings are not available.

 

I apologize if I'm missing something obvious.

 

Thanks again,

 

Steve



#7 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 22 October 2015 - 12:10 PM

Setup an exception rule at the bottom of the exceptions list that says "Block all unauthenticated traffic"

then when they hit a block policy it will prompt them for their LDAP  login credentials 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com