Chromebook with WatchGuard Explicit Proxy Integration Guide

You can use your WatchGuard Firebox to monitor and control Google Chromebook traffic. The WatchGuard Explicit proxy feature, available in Fireware v11.11 and higher, is a powerful feature you can use to monitor, inspect, detect, and block traffic without the need to install a client on the host. Any traffic configured to go through the Explicit proxy brings the full power of WatchGuard’s security services to bear on the traffic with the security services licensed and configured.

Recommendations:

  • Do not allow Chromebook devices to connect to the Explicit proxy through the public (external) IP address of the Firebox. Use a VPN instead.
  • Allow Chromebook devices to connect to the Explicit proxy on the Firebox from private networks that use the Firebox as the gateway.
  • Configure VPN and Wi-Fi settings for managed Chromebooks to implement a secure device policy that filters on-premises and off-premises Internet access through the Firebox as the gateway.

This solution requires the Firebox administrator to configure policies on the Firebox to block or allow traffic, and allows clientless filtering.

Configuration Summary

To implement this solution, you must configure the Firebox and enrolled Chromebooks with settings that route all traffic to the Internet through the Firebox as a proxy server.

Firebox configuration:

  • Enable Mobile VPN with L2TP, and add a user in the L2TP-Users group
  • Configure the Explicit proxy for all traffic from private networks and add the L2TP-Users group
  • Enable HTTPS content inspection
  • Enable WebBlocker
  • Enable Safe Search (or enable on the Chromebooks)

Google Chromebook configuration (through the Google Admin Console):

  • Enroll Chromebooks in your enterprise domain
  • Restrict sign-in to only domain accounts and disable guest sign-in
  • Restrict Wi-Fi connections to Wi-Fi networks managed by the Firebox (for Chromebooks that are used only on-premises)
  • Require Chromebooks to establish an L2TP VPN connection to the Firebox
  • Configure Chromebooks to use the Firebox as the proxy server
  • Import the proxy authority CA certificate to Chromebooks
  • Enable Safe Search (or enable on the Firebox)


With this configuration in place:

  • All connections from on-premises Chromebooks to the Internet go through the Explicit proxy on the Firebox
  • All connections from off-premises Chromebooks to the Internet must go through a L2TP VPN tunnel to the Firebox and then through the Explicit proxy on the Firebox
  • Safe Search controls the types of search results Chromebook users can see
  • WebBlocker controls the website categories users can connect to

Logging and Reporting

Logging and reporting of web traffic is configured in the same way as logging for most other proxy traffic. URLs are encapsulated in log messages, which you can send to a Dimension Server. Firebox administrators can use Dimension reports as a powerful tool to increase visibility of activity in Chromebook intensive BYOD environments.

Google Admin Console

Pre-requisites: G Suite for Education

G-Suite for Education is Google’s suite of productivity services geared towards education environments. We strongly recommend this document for users of WatchGuard products whose goal is to safeguard internet activity on Chromebook devices within the educational context.

To proceed, you must have enterprise administrative rights over the educational institution that manages the Chromebook environment and the WatchGuard protected network environment. You must also have a G-Suite account to complete the setup steps in this document.

Screen shot of G Suite for Education dialog box

For educational institutions and BYOD environments in which the organization owns and distributes multiple Chromebooks to users, we recommend that the organization strongly consider enterprise enrollment.

Enterprise enrollment allows a singular point of entry into management for BYOD environments where not all organizationally-owned Chromebooks are accessible to the IT administration staff.

  1. Configure Google Chromebook in the Google Admin console and log in.

Screen shot of Google Admin Console dialog box

  1. To see Chrome devices enrolled in enterprise management, select Device management.

Screen shot of Google Admin Console, Device Management tab

  1. To see the list of enrolled Chromebook devices, click Chrome devices. To appear in the list, each Chromebook must be enrolled in your G Suite account domain.

Recommended Settings

Guest Sign-In

Your Google Chrome devices might be initially configured to allow Guest sign-in. If the organization wants to more strictly control Chromebook usage, you can disable guest sign-in.

To disable guest sign-in:

  1. From the Google Admin console, select Device management > Chrome management.
  2. Select Device settings.
  3. In the Sign-in Settings section, from the Guest Mode drop-down list, select Do not allow guest mode.

Screen shot of Google Admin Console, Device settings, Sign-in Settings section dialog box

  1. Click Save after you make a configuration change.

Screen shot of Google Admin Console Save button

Sign-In Restrictions

For enterprise-enrolled Chromebooks administered from the Google Admin console, you can restrict the domain accounts that can sign in.

To configure sign-in restrictions:

  1. From the Google Admin console, select Device management > Chrome management.
  2. Select Device settings.
  3. In the Sign-in Settings section, select an option from the Sign-in Restriction drop-down list and add the list of user accounts. You can use a wildcard (*) to allow all accounts in your domain. For example, type *@watchguardtest.com to allow all accounts in that domain.

Screen shot of Google Admin Console, Device settings, Sign-in Settings section dialog box

  1. Click Save.

Wi-Fi

Configure Wi-Fi settings for the enrolled Chromebooks. These settings control how users can connect to off-premises and on-premises Wi-Fi networks.

  • On-premises — Chromebooks used on authorized managed networks
  • Off-premises — Chromebooks used on home network or other offsite network

To configure Wi-Fi settings:

  1. Select Network > Wi-Fi.

Screen shot of Google Admin Console, Device management, Network tab

You may find that there are no Wi-Fi networks enabled. In the Google Admin console, you can configure specific Wi-Fi networks available to the Chromebook users. You can configure this by account or by device. For more information and best practices, see Google’s Chrome device Quick Start Guide.

  1. Click Add Wi-Fi.

Screen shot of Google Admin Console, Wi-FI dialog box

In the Wi-Fi configuration, you can specify a specific proxy for Wi-Fi traffic. WatchGuard recommends that you do not specify the proxy in the Wi-Fi settings. Instead, specify this in the Network settings.

  1. In the Name text box, type a friendly name for the Wi-Fi network.
  2. Type the SSID.
  3. Select the Automatically connect check box.
  4. Select an option from the Security Type drop-down list. We recommend WPA-PSK.
  5. From the Proxy Settings drop-down list, select Direct Internet Connection.
  6. In the Restrict access to this Wi-Fi network by platform section, select the Chromebooks check box. You can select other options as well.
  7. From the Apply network drop-down list, we recommend that you select by user.
  8. Click Add.

Screen shot of Google Admin Console, add Wi-Fi network dialog box

For Chromebook devices that you want to connect only to on-premises networks, the administrator must restrict the Wi-Fi connections to allow connections only to Wi-Fi networks managed by the Firebox.

  1. From the Google Admin console, select Network > General Settings.

Screen shot of Google Admin Console, Device management, Network dialog box

  1. Select the Auto-connect check box.
  2. Select the Restrict WiFi Networks check box.
  3. For Restrict Network Interfaces, select the Wi-Fi check box.

Screen shot of Google Admin Console, Device management, General settings dialog box

  1. Verify the Wi-Fi networks you select in the Google Admin console are only Wi-Fi networks administered by the Firebox.

Screen shot of Google Admin Console, Device management, Network dialog box

If you do not restrict Wi-Fi network connections, Chromebook users can also connect to any off-premises Wi-Fi network. To inspect this traffic, you must require the user to establish a VPN connection before the Chromebook can browse the Internet. After the user connects to the VPN, traffic between the Chromebook and the Internet goes through the VPN tunnel to the Firebox and all HTTP and HTTPS traffic goes through the Explicit proxy.

The next two sections describe how to configure the VPN and Explicit proxy settings.

L2TP VPN Connections

To use the Explicit proxy for both on-premises and off-premises Internet connections from the Chromebooks, the Chromebooks must use a VPN to connect to the Firebox. WatchGuard recommends an L2TP VPN connection, which you can specify in the Google Admin console.

Enable L2TP VPN Connections on the Firebox

On the Firebox, enable Mobile VPN with L2TP and add a user for authentication.

To enable Mobile VPN with L2TP on the Firebox:

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select VPN > Phase2 Proposals.
  3. Click Add to add a Phase 2 proposal.

SHA2 authentication is not supported on older XTM device models. If your Firebox does not support SHA2, skip to step 9. For more information about SHA2 support on XTM devices, see the Knowledge Base article SHA-2 support in Fireware XTM.

  1. In the Name text box, type a name for this proposal.
  2. From the Type drop-down list, select ESP.
  3. From the Authentication drop-down list, select SHA2-256.
  4. From the Encryption drop-down list, select AES(128-bit).
  5. Click Save.

Screen shot of the Phase 2 Proposal, Edit dialog box

  1. Click Add.
  2. In the Name text box, type a name for this proposal.
  3. From the Type drop-down list, select ESP.
  4. From the Authentication drop-down list, select SHA1.
  5. From the Encryption drop-down list, select AES(128-bit).
  6. Click Save.

Screen shot of the Phase 2 Proposal, Edit dialog box

  1. Select VPN > Mobile VPN with L2TP.

Screen shot of the Mobile VPN with L2TP dialog box

  1. Click Run Wizard and complete the Mobile VPN with L2TP Setup Wizard. For more information, see Use the WatchGuard L2TP Setup Wizard in Fireware Help.

In the Setup Wizard you specify a Pre-Shared Key for tunnel authentication. You must specify the same Pre-Shared key in the VPN settings in the Google Admin console.

  1. On the Mobile VPN with L2TP page, click Configure.
  2. Select the IPSec tab.
  3. In the Transform Settings list, remove the default transform.
  4. Add two new Phase 1 transforms with these settings:
    • Authentication: SHA1, Encryption AES(128-bit), Diffie-Hellman Group 14
    • Authentication: SHA1, Encryption AES(128-bit), Diffie-Hellman Group 19

Screen shot of the Mobile VPN with L2TP settings, IPSec tab, Phase 1 Settings

  1. Select the Phase 2 Settings tab.
  2. Remove the two default Phase 2 proposals.
  3. Add the two Phase 2 proposals you configured earlier. Make sure the proposal that uses SHA2 is at the top of the list.

Screen shot of the Mobile VPN with L2TP settings, IPSec tab, Phase 1 Settings

  1. Click Save.

Add a user to the L2TP-Users group.

  1. Select Authentication > Servers.
  2. To use the Firebox-DB authentication server, select Firebox.
  3. Add a user and specify the passphrase.
  4. Add the user to the L2TP-Users group.

Screen shot of the Authentication, Server add user dialog box

  1. Save the configuration.

The user name and passphrase for the user in the L2TP-Users group are the user name and password you specify for the VPN in the Google Admin console.

Configure VPN Settings in the Google Admin Console

After you enable Mobile VPN with L2TP on the Firebox, configure the VPN settings for the Chromebooks:

  1. From the Google Admin console, select Device management > Network > VPN.

Screen shot of Google Admin Console, Device management, Network, VPN dialog box

  1. Click Add VPN to configure VPN settings.

Screen shot of Google Admin Console, Device management, Network, add VPN dialog box

  1. In the Remote host text box, type external IP address of the Firebox.
  2. For VPN type, select L2TP over IPSec with Pre-Shared key.
  3. In the Pre-shared key text box, type the pre-shared key you specified on the Firebox.
  4. In the Username, and Password text boxes, type the name of a user in the L2TP-Users group on the Firebox. All Chromebook users use these credentials for VPN connections.
  5. From the Proxy settings drop-down list, select Direct Internet Connection.
  6. For Apply network, select by user.

Screen shot of Google Admin Console, Device management, Network, VPN dialog box

  1. Click Add to add the new VPN.
  2. Click Apply. The VPN will be enabled for the Chromebooks through the Google Admin console.

Screen shot of Google Admin Console, Device management, Network, VPN dialog box

  1. To confirm the VPN was successfully configured, sign in to an enterprise-enrolled Chromebook and click the status area where the user account picture appears.

Screen shot of Google Admin Console, Status area

Screen shot of Google Admin Console, Status area

  1. Open a Chrome browser and select Settings.
  2. Open the VPN settings of the L2TP VPN on the Chromebook. Verify that the status is Connected.

Screen shot of VPN settings, Chrome browser Settings of the L2TP VPN dialog box

You can also implement OpenVPN and L2TP-VPN as shown in this example.

Screen shot of Device management, Network, VPN dialog box

Proxy Settings

This section describes the steps to configure settings on the Firebox and in the Google Admin console to filter web traffic from the enrolled Chromebook, regardless of whether the Chromebook is connected to the Firebox-administered network or an off-premises network that is not managed by the Firebox.

Prerequisites:

  • Configure Mobile VPN with L2TP on the Firebox and add a user to the L2TP-Users group
  • L2TP VPN is configured for the Chromebooks so the Chromebook users can connect to the Firebox

To use the Firebox as a proxy server, configure the Explicit proxy policy on the Firebox, then use the Google Admin console to specify the Firebox as a proxy for enrolled devices.

Configure the Explicit Proxy Policy on the Firebox

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Firewall > Firewall Policies.
  3. Click Add Policy.
  4. Select Proxies, then select the Explicit-proxy policy.
  5. Click Add Policy.
    The Policy settings appear.

Screen shot of the Fireware Web UI Firewall Policies, Add Policy dialog box

By default, the policy applies to traffic from the Any-Trusted and Any-Optional networks (on-premises connections). For this policy to apply to off-premises connections, you must add the group L2TP-Users to the From list of the policy.

  1. Below the From list, click Add.
  2. From the Member type drop-down list, select Firewall Group, then select L2TP-Users.
  3. Click OK to add the L2TP-Users group to the From list of the policy.

Screen shot of the Firewall Policies, Add dialog box, Setting tab

  1. Click Save.

After you add the Explicit proxy policy, two new policies are added to the configuration.

Screen shot of Policies list dialog box

When you add the Explicit-proxy policy, a WG-PAC-File-Download policy is also added automatically. To use a PAC file to distribute the proxy configuration, this policy allows users on the on-premises networks to connect to the Firebox to get the PAC file.

For information about how to create the PAC file on the Firebox, see Explicit proxy: PAC Files.

Enable HTTPS Content Inspection on the Firebox

To configure the content inspection settings for HTTPS connections.

  1. In Fireware Web UI, select Firewall > Proxy Actions.
  2. Select the HTTPS-Client.Standard predefined proxy action. Click Clone.
    A new copy of the proxy action opens for editing.

Screen shot of Fireware Web UI, Firewall, HTTPS Proxy Actions dialog box

  1. Type a Name for the cloned proxy action.
  2. Select the Content Inspection tab.
  3. Select the Enable Content Inspection check box.

Screen shot of Fireware Web UI, Firewall, HTTPS Proxy Actions dialog box

  1. Select the Domain Names tab.

Screen shot of Fireware Web UI, Firewall, HTTPS Proxy Actions dialog box, Domain Names tab

  1. Set the action for all sites, and the action for no rules to Inspect.
  2. Click Save to save the new proxy action.

Next, configure the Explicit-proxy proxy action to use this action.

  1. Select Firewall > Firewall Policies.
  2. Edit the Explicit-proxy policy.
  3. Select the Proxy Action tab.
    By default, the proxy uses the predefined Explicit-Web.Standard proxy action, which you cannot edit. You must clone the proxy action and then configure the settings for the cloned proxy action.

Screen shot of Fireware Web UI, Firewall, Firewall Policies dialog box, Proxy Action tab

  1. From the Proxy Action drop-down list, select Clone the current proxy action.

Screen shot of Fireware Web UI, Firewall, Firewall Policies dialog box, Proxy Action tab

  1. Type a Name for the cloned proxy action.
  2. In the Proxy Action Settings section, select Explicit Web Proxy > Connect Tunneling.

Screen shot of Fireware Web UI, Firewall, Firewall Policies dialog box, Proxy Action tab

  1. Double-click the default HTTPS rule to edit it.
    The Edit Rule dialog box appears.
  2. From the Action drop-down list, select HTTPS Proxy Action.
  3. Select the HTTPS proxy action that you cloned earlier.

Screen shot of Fireware Web UI, Edit Rule dialog box

  1. Click OK.
    The HTTPS rule now uses the HTTPS proxy action.

Screen shot of Fireware Web UI, HTTPS rule dialog box

  1. Configure the proxy to use the same HTTPS proxy action if no rule above is matched.
  2. Click Save to save and close the policy.

For more information, see Use Certificates with HTTPS Proxy Content Inspection.

Configure Proxy Settings in the Google Admin Console

After you enable the Explicit proxy on the Firebox, you can configure the Chromebooks to use it.

  1. From the Google Admin console, select Device management > Chrome management.

Screen shot of Google Admin console, Device Management, Chrome Management tab

  1. Select User Settings.
  2. Scroll to the Network section and find Proxy Settings.

Google Admin console, User Settings, Network, Proxy Settings dialog box

  1. Configure the Proxy Mode and Proxy Settings with one of the two options described below.

The Proxy Mode has several settings. To use the explicit-proxy on the Firebox, the Chromebooks must use the Firebox as the proxy server. WatchGuard recommends you select one of these proxy mode options.

Option 1 — Manually configure the proxy server address

Use this method if you do not have many clients to configure. From the Proxy Settings drop-down list, select Always use the proxy specified below. In the Proxy Server URL text box, type the trusted IP address of the Firebox. In this example, our proxy URL is the Firebox internal IP address (10.0.1.1) and the port is 3128.

Google Admin console, Device management, Chrome, User Settings dialog box

Option 2 — Distribute a PAC file script to managed Chromebook clients

If you manage a large number of Chromebooks, you can use a PAC (proxy automatic configuration) file to distribute the proxy configuration. A PAC file is a simple JavaScript file that you can use to configure client web browsers to use the Firebox as a proxy server. The PAC file includes the IP address and port number the client can use to connect to the Firebox. You can host the PAC file on the Firebox.

From the Proxy Settings drop-down list, select Always use the proxy auto-config specified below. Then specify the path for the client to get the PAC file.

Example: 10.0.1.1:4125/p1.pac

For more information about PAC files on the Firebox, see Explicit proxy: PAC Files in Fireware Help.

Import the Proxy Authority CA Certificate to Client Devices

When you enable content inspection in the HTTPS proxy, the Firebox uses the default self-signed Proxy Authority CA certificate to re-encrypt the traffic. End-users receive a warning in their web browsers because this certificate is an untrusted self-signed certificate.

To prevent these warnings, you can import this certificate (or your own certificate) on each client device.

Import the CA Certificate used by the Firebox to Google Chromebooks

When you enable HTTPS content inspection, the Firebox automatically creates the WatchGuard Certificate Portal policy, which allows connections to the Certificate Portal on the Firebox. The port and protocol for the certificate portal (TCP port 4126) appear in the WatchGuard Certificate Portal policy.

Fireware Web UI Fireware Policies Edit dialog box, Settings tab

To connect to the Certificate Portal to download the certificate file:

  1. In a web browser on the management computer, go to http://<Firebox interface IP address>:4126/certportal.
  2. Download the certificate file.

To import the certificate file:

  1. From the Google Admin console, select Device management > Network.
  2. Select Certificates.

Google Admin console, Device Management, Network, Certificates dialog box

  1. Click Add Certificate.
  2. Select the certificate file downloaded from the Firebox.
  3. Select the Use this certificate as an HTTPS certificate authority check box.

Google Admin console, Add Certificate dialog box

To verify the certificate authority and test SSL inspection on a managed Chrome device:

  1. Sign in to a managed Chromebook.
  2. To verify the certificate authority, open a Chrome browser and go to chrome://settings-frame/certificates.

Screen shot of the managed Chromebook Certifcate Manager dialog box

  1. Browse to a site that uses HTTPS.
  2. Verify the building icon appears in the address bar.
  3. To see permission details about the connection, click the building icon in the address bar.
  4. To see certificate details, click Certificate information.

Screen shot of Certificate Information dialog box

Safe Search and WebBlocker

To control the types of content that users can see, you can enable Safe Search and WebBlocker.

Enable Safe Search

We recommend that you use Safe Search to restrict the content that users can see in Google search results. You can enable Safe Search on the Firebox or through the Google Admin console.

To enable Safe Search through the Google Admin console:

  1. Select Device management > Chrome > User Settings.
  2. In the Content section, from the Safe Search and Restricted Mode drop-down list, select Always use Safe Search for Google Web Search queries.

Screen shot of the Google Admin console, Device Management, Chrome, User Settings dialog box

You can also enable restricted mode for YouTube.

Screen shot of the Google Admin console, Device Management, Chrome, User Settings dialog box

To enable Safe Search on the Firebox:

  1. Edit the Explicit-proxy policy.
  2. Select the Proxy Action tab.
  3. Select HTTP Request.
  4. In the General Settings section, select the Enforce safe search to major search engines check box to enforce safe search.

Screen shot of the Fireware WebUI, HTTP Request General Settings dialog box, Proxy Actions tab

  1. Save the policy.

To enable safe search for inspected HTTPS traffic, you must also enforce safe search in the HTTP proxy action used for HTTPS content inspection. You can do that when you enable WebBlocker, as described in the next section.

Configure WebBlocker

On the Firebox you can enable WebBlocker to add another layer of protection. WebBlocker blocks connections to websites based on the content category. WebBlocker can identify and block over 130 content categories including adult, offensive, tasteless, and violence.

To enable WebBlocker:

  1. In Fireware Web UI, select Subscription Services > WebBlocker.
  2. If the WebBlocker Activation Wizard does not start automatically, click Run Wizard.

Screen shot of Fireware Web UI, Subscription Services, WebBlocker dialog box

  1. Type a Profile Name for the WebBlocker action. Click Next.
  2. In the Categories list, select the content categories to block.

Screen shot of Fireware Web UI, Subscription Services, WebBlocker dialog box

  1. Click Next.
    The wizard automatically selects to apply this action to the two configured proxy actions.

Screen shot of Fireware Web UI, Apply WebBlocker dialog box

  1. Click Next two more times to complete the wizard. Then click Finish.

To enable WebBlocker for inspected HTTPS traffic, you must also clone the HTTP-proxy.standard action and used the cloned HTTP-proxy action in the HTTPS-proxy policy.

  1. Select Firewall > Proxy Actions.
  2. Select the HTTP-Client.Standard predefined proxy action. Click Clone.
  3. In the Name text box, type a name for the proxy action.
  4. Select the WebBlocker tab.
  5. From the WebBlocker drop-down list, select the WebBlocker action you configured earlier.

Screen shot of Fireware WebUI, Firewall, Proxy Actions, HTTP Proxy Action dialog box

  1. Click Save.
  2. Edit the HTTPS proxy action you selected in the Explicit proxy policy.
  3. Select the Content Inspection tab.
  4. From the Proxy Action drop-down list, select the cloned HTTP proxy action you just created.

Screen shot of HTTP Proxy Action Settings dialog box

  1. When you edit this proxy action, you can also enable Safe Search for inspected HTTPS connections. To do so, select the HTTP Request tab and select the Enforce safe search to major search engines check box.

Screen shot of HTTP Proxy Action Settings dialog box

  1. Click Save.

For more information about WebBlocker configuration, such as how to enable WebBlocker for other types of policies and how to use Policy Manager to configure WebBlocker, see Configure WebBlocker in Fireware Help.