HTTPS Proxy and Safe Search for Schools – Configuration Example


To enable different levels of access to websites for different groups of users, you must first set up user authentication. You can then configure WebBlocker settings for each group of users. At a high level, the steps are:

  1. Enable and configure Active Directory authentication.
  2. Define the user groups to match the user group names on your Active Directory server.
  3. Add policies for each user group. The policy includes a WebBlocker action to use for that group.
  4. Remove or modify the default Outgoing policy.
  5. Configure authentication settings to automatically redirect users to the WatchGuard authentication page.
  6. (Optional) Configure Single Sign-On (SSO).

Example Scenario

To show how to set up this configuration, we can use a school that wants to set different levels of web access for these three groups:

  • Students (more restricted access)
  • Teachers (less restricted access)
  • IT (unrestricted access)

Before You Begin

Before you configure WebBlocker and web access, you must configure user authentication. You can use any authentication method, such as Active Directory, local authentication, Radius, or LDAP.

For more information about the supported authentication methods, go to Authentication Server Types.

In this example, the school uses Active Directory authentication with Single Sign-On.

1. Enable and Configure Active Directory Authentication

You can use an Active Directory authentication server so that users can authenticate to your Firebox with their current network credentials. Before you configure your Firebox to use Active Directory authentication, make sure your users can successfully authenticate to the Active Directory server.

In this example, we use Policy Manager to configure the Firebox to use the school's Active Directory server at the IP address 10.0.1.100.

To configure Active Directory authentication:

  1. Click the Authentication Servers icon.
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box opens.
  2. Select the Active Directory tab.
    The Active Directory settings show.
  3. Click Add.
    In Fireware v12.3 and higher, the Active Directory wizard opens.
  4. To use the wizard to configure the Active Directory settings, click Next.
  5. In the Domain Name text box, type the domain name to use for this Active Directory server.

Screen shot of the domain name settings in the Active Directory wizard

  1. Click Next.
  2. In the Server Address text box, type the IP address or DNS name of the primary Active Directory server. For this example, type 10.0.1.100.
    The Active Directory server can be located on any Firebox interface. You can also configure the device to use an Active Directory server available through a VPN tunnel.
  3. Click Next.
  4. Select the Edit the Active Directory Domain Settings check box.
  5. Click Finish.
    The Edit Active Directory Domain dialog box opens.
  6. In the IP Address / DNS Name text box, add or select the TCP port number used to connect to the Active Directory server. The default port number is 389.
    If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, go to Change the Default Port for the Active Directory Server.
  7. In the Timeout text box, type a value in seconds.
  8. Click the Dead Time up or down arrow to specify a time after which an inactive server is marked as active again. Select minutes or hours from the drop-down list next to the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not use this server until it is marked as active again.
  9. In the Search Base text box, type the location in the directory to begin the search.

The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>.

You set a search base to put limits on the directories on the authentication server the Firebox uses to search for an authentication match. We recommend that you set the search base to the root of the domain. This enables you to find all users and all groups to which those users belong.

For this example, the root domain name in the Active Directory database is example.com, so for the Search Base, we type dc=example,dc=com.

For more information about how to find your search base on the Active Directory server, go to Find Your Active Directory Search Base.

  1. In the Group String text box, type the attribute string that is used to hold user group information on the Active Directory server. If you have not changed your Active Directory schema, the group string is always tokenGroups.
  2. In the Login Attribute text box, type an Active Directory login attribute to use for authentication.
    The login attribute is the name used to connect to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you can leave the DN of Searching User field and the Password of Searching User empty.
  1. (Optional) In the DN of Searching User text box, type the distinguished name (DN) for a search operation.

It is not necessary to enter anything in this text box if you keep the login attribute of sAMAccountName. If you change the login attribute, you must add a value in the DN of Searching User box to your configuration. You can use any user DN with the privilege to search LDAP/Active Directory, such as Administrator. However, a weaker user DN with only the privilege to search is usually sufficient.

  1. In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.

Authentication Servers dialog box - Active Directory tab

  1. Click OK.
  2. Save the Configuration File.

2. Define the Users and Groups

Before you can use the Active Directory groups in policies, you must define the groups in the Firebox configuration from Policy Manager. The group names you add must match the groups on your Active Directory server. Repeat the steps in this section to create groups for Students, Teachers, and IT.

If a user is already logged in when you add a new group to the Firebox configuration, the user is not associated with that group by the Firebox until the next time the user logs in to the Firebox.

To add users and groups:

  1. Select Setup > Authentication > Users and Groups.
    The Users and Groups dialog box opens.
  2. Click Add.
    The Add User or Group dialog box opens.

Screen shot of the Define New Authorized User or Group dialog box

  1. In the Name text box, type the name of the group on the Active Directory Server.
    For this example, the students are in the Students Active Directory group, so we type Students.
  2. (Optional) In the Description text box, type a description of the group.
  3. Make sure that the Type is set to Group.
  4. From the Auth Server drop-down list, select Active Directory.

3. Add Policies for Each User Group

In this section, create an HTTP-proxy policy for each user group — Students, Teachers, IT.

The Firebox uses two categories of policies to filter network traffic: packet filters and proxies.

Packet filter policy

A packet filter examines each packet's IP and TCP/UDP header. If the packet header information is permitted by the packet filter settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

Proxy policy

A proxy examines both the header information and the content of each packet. If the packet header information and the content of the packet is allowed by the proxy settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

Create an HTTP-proxy Policy for the Students

To deny access to categories of websites for a group of users, you must use Policy Manager to create an HTTP proxy policy for those users, and define a WebBlocker action for that policy. The HTTP proxy can then inspect the content and allow or deny the users access to a website based on the WebBlocker action configured for that policy.

To create an HTTP-proxy policy for the students:

  1. Select Edit > Add Policy.
    The Add Policy dialog box opens.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add Policy.
    The New Policy Properties dialog box opens.

Screen shot of the New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    For this example, we name the proxy policy HTTP-proxy-Students.
  2. On the Policy tab, in the From section, click Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    The Add Address dialog opens.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box opens.

Screen shot of the Add Authorized Users or Groups dialog box

  1. Select the Students group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group Students in the From section of the policy.

  1. Next to the Proxy Action or Content Action drop-down list, click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box opens.
  2. From the Categories list, select HTTP Request > General Settings.
  3. Select Enforce SafeSearch and select a level of filtering for Youtube, if required.
    SafeSearch is a feature included in web browser search engines that enables users to specify what level of potentially inappropriate content can be returned in search results.

Screen shot of the HTTP Proxy Action Configuration dialog box

To enforce SafeSearch for some sites that require HTTPS connections (such as Google and YouTube), you must use an HTTPS Proxy policy with content inspection enabled. To enable SafeSearch for decrypted HTTPS content, in the proxy action for the HTTPS-Client Proxy policy, select an HTTP-Client proxy action with SafeSearch enabled. For more information on HTTPS and content inspection, go to HTTPS-Proxy: Content Inspection.

  1. From the Categories list, select WebBlocker.
    The WebBlocker configuration opens.
  2. Next to the WebBlocker drop-down list, click the New/Clone icon.
    The Clone WebBlocker Action dialog box opens.

Screen shot of the Clone WebBlocker Action dialog box

  1. In the Name text box, type a name for this WebBlocker action.
    For this example, give type Students.
  2. On the Categories tab, in the Deny column, select the check box for each content category to deny for users in the Students group.
  3. Click OK.

Create an HTTP-proxy Policy for the Teachers

From Policy Manager, repeat the same steps to set up a different policy for the Teachers group.

To create an HTTP-proxy policy for the teachers:

  1. Select Edit > Add Policy.
    The Add Policy dialog box opens.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add Policy.
    The New Policy Properties dialog box opens.

New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    For this example, we name the proxy policy HTTP-proxy-Teachers.
  2. On the Policy tab, in the From section, click Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group Teachers.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box opens.

Add Authorized Users or Groups dialog box

  1. Select the Teachers group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group Teachers in the From section of the policy.

Screen shot of the New Policy Properties dialog box for the HTTP-proxy-Teachers policy

  1. Next to the Proxy Action or Content Action drop-down list, click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box opens.
  2. From the Categories list, select WebBlocker.
    The WebBlocker configuration opens.
  3. Next to the WebBlocker drop-down list, click the New/Clone icon.
    The New WebBlocker Configuration dialog box opens.
  4. In the Name text box, type a name for this WebBlocker configuration.
    For this example, type Teachers.

Screen shot of the Clone WebBlocker Action dialog box

  1. On the Categories tab, in the Deny column, select the check box for each content category to deny for users in the Teachers group.
  2. Click OK.

Create an HTTP Packet Filter Policy for the IT Group

The IT team needs unrestricted access to the Internet. Because we do not need a policy to inspect the content of HTTP packets for these users, we use Policy Manager to create an HTTP packet filter policy instead of an HTTP-proxy policy.

To create an HTTP packet filter policy for the IT group:

  1. Select Edit > Add Policy.
    The Add Policy dialog box opens.
  2. Expand the Packet Filters folder and select HTTP. Click Add Policy.
    The New Policy Properties dialog box opens.

New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    For this example, we name the proxy policy HTTP-IT.
  2. On the Policy tab, in the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group IT.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box opens.

Add Authorized Users or Groups dialog box

  1. Select the IT group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group IT in the From section of the policy.

  1. Click OK.
    Members of the IT group are no longer affected by WebBlocker restrictions.

4. Remove or Modify the Outgoing Policy

After you configure your HTTP proxy to add a WebBlocker profile, you must make sure that the default Outgoing policy does not allow network clients to visit websites without user authentication. You can use Policy Manager to either remove the Outgoing policy and add any other outgoing network policies you need, or you can edit the Outgoing policy to add your WebBlocker authentication user groups.

Option 1 — Remove the Outgoing Policy and Add Other Outgoing Network Policies

We recommend this option to increase control over outbound network access. You must know what ports and protocols are necessary to meet the requirements of your organization.

First, remove the Outgoing policy:

  1. Select the Outgoing policy.
  2. Select Edit > Delete Policy.
  3. Click Yes to confirm.

Then, add a DNS packet filter policy to allow outbound DNS queries:

  1. Select Edit > Add Policy.
    The Add Policy dialog box opens.
  2. Expand the Packet Filters folder and select DNS. Click Add Policy.
    The New Policy Properties dialog box opens.
  3. Add all of your internal networks to the From section of the policy.
  4. Click OK to save the policy.

Finally, add other custom policies:

Add custom policies for any other necessary outgoing traffic. Examples of other custom policies you might want to add include:

  • UDP
  • SMTP (if you have a mail server)

For information about how to add a custom policy, go to About Custom Policies.

Option 2 — Add Your User Authentication Groups to the Outgoing Policy

If you are not sure what other outgoing ports and protocols are necessary for your business, or if you are comfortable with the same level of outbound control you have when you use the default configuration, you can use Policy Manager to modify the Outgoing policy to add your authentication groups.

To add user authentication groups to the outgoing policy:

  1. Double-click the Outgoing policy.
    The Edit Policy Properties dialog box opens.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From list, select Any-Optional. Click Remove.
  4. In the From section, click Add.
    The Add Address dialog box opens.
  5. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box opens.

Add Authorized Users or Groups dialog box

  1. Select all of the user authentication groups you created. Click Select.
  2. Click OK.
    The Edit Policy Properties dialog appears for the Outgoing policy. The selected groups appear in the From section of the policy.

Edit Policy Properties dialog box - Outgoing policy

5. Automatically Redirect Users to the Login Portal

From Policy Manager, you can configure the global authentication settings to automatically send users who have not yet authenticated to the authentication login portal when they try to get access to the Internet.

To automatically redirect users:

  1. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box opens.
  2. Select the Auto redirect users to authentication page for authentication check box.

WebBlocker is now configured to use different policies for different groups of authenticated users, and automatically redirects unauthenticated users to an authentication page.

6. Configure Single Sign-On (SSO)

When users log on to computers on your network, they must give a user name and password. If you use Active Directory or Radius authentication on your Firebox to restrict outgoing network traffic to specified users or groups, they must also log on again when they manually authenticate to the device to gain access to network resources such as the Internet. You can use SSO to have users on the trusted or optional networks automatically authenticate to the Firebox when they log on to their computers.

To use SSO with Active Directory, you must install the SSO Agent software on a computer in your domain. For an environment such as a school, where more than one person uses the same computer, we recommend that you install the SSO Client software on each computer.

For more information about Single Sign-On, go to How Active Directory SSO Works.