View RSS Feed

Cablers_JonPaul

BYOD - The Transparent Proxy Headache Solved

Rate this Entry
by , 12th May 2014 at 12:35 PM (2073 Views)
Lots of people keep asking me what the transparent proxy forwarder in onBoarder is and how does it work. I thought I would write a post to try to explain what it is and how it can benefit a school or business with an upstream proxy.

Having been involved in deploying BYOD systems for some time now, the biggest frustration for us has been upstream proxy. The main problems we have encountered have been managing user device configuration and faults in guest and BYOD web redirection portals. There is a huge problem integrating a BYOD solution with an upstream proxy which leads the question of all “how do we transparent HTTPS traffic?”


There are four options to resolve the upstream proxy issue.


Option 1 – offering the users the upstream proxy details and asking them to configure their own devices.
Most of the schools have been unwilling and rightly so to hand out proxy details to students or guests. This compromises the network to some extent and allows users to manually change the proxy filter ports to less restricted ports.
Guests coming into school want to hop on and surf and proxy configuration can be complex on some devices and not supported on others.


Option 2 - System based configuration
Now here is a can of worms. Do I have a WPAD using DNS or DHCP or both and which devices work with WPAD and which dont. a WPAD solution can be flakey and only works for some devices although I believe it now works for IOS 7. A WPAD either need to reside on a different network or all devices on the wires and wireless will pick up the WPAD settings.
This solution can be then combined with either IOS profiles or manual WPAD entry on Ipads and iPhones.
But where does that leave our best network friend the android well back at manual proxy device configuration again.
Some wireless vendors offer an onboarding process which will help configure the settings on some devices. This includes an onboarding portal residing on an open network where the user registers and downloads a profile. This works for both Android and iPhone but windows users still need the good old WPAD file.


Option 3 – New Broadband
This is probably the best solution when it comes to BYOD. New broadband with either inhouse filtering with something like Lightspeed or with external filtering managed by the broadband provider.
This solution can be expensive and take a large chunk of the years budget, which when combined with the cost of delivering BYOD can cause the project to become to expensive especially if it involves a new managed wireless system, switching and cabling.
Some schools do not want to have the responsibility of owning the filtering and can be resistive towards changing their broadband provider which we have seen at quite a few sites.


Option 4 – onBoarder

Our quest for transparent proxy and a lot of late nights led us to implement a new module on our onBoarder system, the transparent proxy forwarder called such as we are techies and have no personality to name it. The transparent proxy forwarder (TP) is just that, it takes all packets destined for the internet and sends them to the upstream proxy on the required port. The user or device has no knowledge of an upstream proxy and no configuration on the device is required, no WPAD, no profile, no web redirect portals, no over complex solution with profile for this and WPAD for that and lets not forget android has to drink four cups of coffee then install three apps, with onBoarder just connect and surf.


The Guest TP solution

OnBoarder GTP100 has one dedicated network for the Guest devices. Users connect to the sites Guest wireless which is configured on a dedicated VLAN. The device receives DHCP and DNS settings from onBoarder with a gateway of onBoarder’s LAN gateway port. All traffic is sent to the upstream proxy via the WAN port on onBoarder.

onBoarder can be supplied with a Guest login portal if the existing wireless does not have Guest facilities or stand alone access points will be used.


The BYOD solution

onBoarder NSTP1000 has two networks for the BYOD/Guest devices, one for student forwarding and one for Guest/staff forwarding. when connecting to BYOD a single SSID can be used with dynamic VLAN’s. onBoarder’s radius server authenticates the user with username and password against the sites Active Directory and then applies the relevant VLAN to the authenticated user. The device receives DHCP and DNS settings from onBoarder with a gateway of onBoarder’s LAN gateway port. All traffic is sent to the staff or student upstream proxy port via the WAN port on the onBoarder.

onBoarder can be supplied with a Guest login portal if the existing wireless does not have Guest facilities or stand alone access points will be used.
onBoarder NSTP1000 dashboard can provide information on internet bandwidth, access point utilisation user logon details including IP address.

Both system can be configured to work with an in house filtering system and has been extensively tested with the Lightspeed filtering solution.

I hope this may be of use to anyone wanting to deploy a BYOD solution, and whether you have upstream proxy or would like a BYOD in a box solution our team have the experience to help deliver a working platform.
For more information about onBoarder and how it can help with the integration of your BYOD solution call 08453879384 and talk to one of our team.

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: