Jump to content


Photo

WSA and Hotel Captive Portals


  • Please log in to reply
7 replies to this topic

#1 Jbo

Jbo
  • Members
  • 50 posts

Posted 21 October 2016 - 11:49 AM

We have many users that travel. How does the WSA handle the captive portal if it's unable to connect to the WSG? Also, how does the WSA work if the WSG can not be contacted due to say the hotel blocking port 8280?

 

Thanks,



#2 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 21 October 2016 - 12:19 PM

  This depends on the following options configured when you deploy the WSA basically, if you have fail-open set to Yes then it will allow the user to continue to browse   Fail Open: YesNo
If Yes, allows the Barracuda WSA to pass all traffic, unfiltered, upon system failure.Default: No
Policy Lookup Only Mode: YesNo
If Yes, client's machine routes web traffic and applies policies, but traffic is not routed through the Barracuda Web Security Gateway.Default: No


Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#3 Jbo

Jbo
  • Members
  • 50 posts

Posted 31 October 2016 - 12:18 PM

We have it set to NO for Fail Open. We can not allow unfiltered Internet traffic from our laptops. Why does the client have to talk to the WSG in order to process rules? Why doesn't it cache those rules locally for situations like this or say a VPN connection is down from a branch office to the WSG location?



#4 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 31 October 2016 - 12:46 PM

Sorry for not clarifying on Policy lookup mode, using this option will allow the policies and rules to be in effect after being synced, but not require routing through the WSG



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#5 Jbo

Jbo
  • Members
  • 50 posts

Posted 01 November 2016 - 07:17 PM

The problem is the sync issue. I'm currently having an issue with a client now that will not sync for some reason and is blocking all web traffic. The client shouldn't have to rely on the WSG in order to operate. It should have the policies cached on the machine and call in to the WSG to get the latest copy every so often.



#6 Ben Bartle

Ben Bartle
  • Moderators
  • 108 posts
  • LocationCampbell CA

Posted 16 November 2016 - 03:08 AM

Thank you for your feedback, this is how our Chromebook Extension currently works that was just introduced with Firmware 11. Unfortunately the exact functionality you are looking for does not exist in the product.

With current WSA versions you get an option of fail open/fail closed and PLO or Non-PLO.

PLO only sends check messages where Non-PLO would act as a full proxy. Both require communication with the WSG, if unreachable the admin sets either fail open or fail closed.

You mention your communication issue may be related to a VPN connection, but why rely on a VPN connection from a remote office? One of the main benefits of using WSA in PLO is that the local internet connection is used, and bandwidth is not consumed to and from the network where the WSG resides.Is it possible in your environment to publish the WSG on the internet? One method of doing this is by creating forwarding rules on the firewall to allow this traffic, you could eliminate the need to rely on VPN tunnels and other blockers from WSG communication to the clients. There may be other potential solutions or workarounds for this to resolve the immediate need. If this is not ideal or doesn't work in your environment contact support so we can gather all of the details to recommend another solution.

For the future I have filed a feature request to be considered for some future version of WSA.


Ben Bartle

Technical Marketing Engineer

Content and Network Security @ Barracuda Networks


#7 Jbo

Jbo
  • Members
  • 50 posts

Posted 07 September 2017 - 04:28 PM

This is still an issue. Any thoughts or upcoming features to resolve hotel captive portals?

 

Thanks,



#8 Ben Bartle

Ben Bartle
  • Moderators
  • 108 posts
  • LocationCampbell CA

Posted 13 September 2017 - 07:25 AM

@jbo Have you contacted support as described in my previous post? This would allow us to gather all the details and as we are  building this feature meet your current and future needs. 


Ben Bartle

Technical Marketing Engineer

Content and Network Security @ Barracuda Networks