+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Internet Related/Filtering/Firewall Thread, Smoothwall content filter with bluesocket wireless in Technical; Hello people, as the title suggests we have a smoothwall content filter and we are also using a bluesockt wireless ...
  1. #1
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62

    Smoothwall content filter with bluesocket wireless

    Hello people,

    as the title suggests we have a smoothwall content filter and we are also using a bluesockt wireless setup.

    What I want to know id if anyone has setup thier smoothwall to allow bluesocket web access but still have it filtered?

    OUr setup is as follows:

    BlueSocket : LDAP / Radius authentication using web portal for login information or machine based authentication.

    Smoothwall : LDAP / AD authentication (not at the office but I think ident with terminal services)

    I can get the wireless clients to connect to the network and authenticate no problem this issue is that a username and password is NOT being password to the smoothwall and content filtering fails so user are unable to browse.

    How to setup smoothwall so that the wireless clients can surf the web but still be filtered?

    Answers on a post card please......

  2. #2

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,599
    Thank Post
    109
    Thanked 766 Times in 597 Posts
    Rep Power
    181
    It works for me... my users are using NTLM pass-thru to AD authentication. Mobile Gaurdian is now being used to set proxy details too.

    Of course, these are managed computers. I've got to set up the whole captive-portal style thing and I'm leaning towards AD auth through a web page... the users will then get passed to a VLAN which I'll put through a specific port on my UTM and just filter ALL the traffic.

  3. #3
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Ric_: Where are you setting the NTLM pass-thru as I am sure if I can do this it will all work also but I must be blind as I cannot see where it is set?

  4. #4

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    Quote Originally Posted by ICTNUT View Post
    Ric_: Where are you setting the NTLM pass-thru as I am sure if I can do this it will all work also but I must be blind as I cannot see where it is set?
    If your using ident in terminal services compat mode aren't you already using NTLM ?

    If your wirless users are on unmanaged machines you will have to use either the ssl login page option or rely on the pop up window that the smoothwall will give your users if it can't authenticate them automatically. I found both these worked fine with Windows clients but Mac did not get on well at all (SSL login didn't work and the pop up window was a bit flakey sometimes repeatedly asking for credentials when clicking on links) - for now our guest wirless are not authenticated as a result.

  5. #5

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,599
    Thank Post
    109
    Thanked 766 Times in 597 Posts
    Rep Power
    181
    Quote Originally Posted by ICTNUT View Post
    Ric_: Where are you setting the NTLM pass-thru as I am sure if I can do this it will all work also but I must be blind as I cannot see where it is set?
    On your Bluesecure controller, go to 'User Authentication' -> 'Authentication Server' -> 'Create... Transparent NTLM Windows Authentication'

    Fill in the relevant domain controller details and in the drop down box named 'or using LDAP/Active Directory server' simply select your AD authentication settings.

    It's all in the BlueSocket training materials that are available off the support pages of their website (along with lots of other good stuff ).

  6. Thanks to Ric_ from:

    ICTNUT (11th November 2009)

  7. #6
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Quote Originally Posted by Ric_ View Post
    It works for me... my users are using NTLM pass-thru to AD authentication. Mobile Gaurdian is now being used to set proxy details too.

    Of course, these are managed computers. I've got to set up the whole captive-portal style thing and I'm leaning towards AD auth through a web page... the users will then get passed to a VLAN which I'll put through a specific port on my UTM and just filter ALL the traffic.
    I have setup AD (transparent NTLM) auth through the SSL web page on the bluesocket and authentication works (these are unmanaged laptops and mobile devices).

    On the status page for the bluesocket I can see the users that have authenticated but they cannot surf, Smoothwall is still coming back with unknown username or password and tries to stick them in the unatuhenticated users which I have setup as a default block everything.

    See that the bluesocket bit is ok I will assume that there is still something I need to do on the smoothwall....
    Last edited by ICTNUT; 11th November 2009 at 08:38 AM. Reason: typo

  8. #7

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,599
    Thank Post
    109
    Thanked 766 Times in 597 Posts
    Rep Power
    181
    Are you using the Smoothie as a transparent proxy? IIRC a transparent proxy cannot authenticate users.

    This is why I plan to do it the why I describe above. Dump the unmanaged devices onto a different VLAN with only access to the Smoothie box and then tell Smoothie to act as a transparent proxy on that VLAN, applying a strict filtering policy.

  9. #8
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Quote Originally Posted by Ric_ View Post
    Are you using the Smoothie as a transparent proxy? IIRC a transparent proxy cannot authenticate users.

    This is why I plan to do it the why I describe above. Dump the unmanaged devices onto a different VLAN with only access to the Smoothie box and then tell Smoothie to act as a transparent proxy on that VLAN, applying a strict filtering policy.
    Nope not using smootie as a transparent proxy, using NTLM Identification (Terminal Services compatibility mode)

    So my next question would be how do you have the smoothie setup with more than one authentication method?

    We do want to be able to log all the kids and thier access and would like to do the same for the wireless access but if that is not possible just making sure that the wirless internet access is filtered (strict) would suffice.

  10. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Oz, you can only use a single authtype at the moment (though this is changing).

    Call me (back Friday) or RobF (0113 3874181, in Tomorrow all day AFAIK) and we'll have a poke about.

  11. Thanks to tom_newton from:

    ICTNUT (12th November 2009)

  12. #10
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Will do :-)

  13. #11

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,599
    Thank Post
    109
    Thanked 766 Times in 597 Posts
    Rep Power
    181
    @ICTNUT: If the users are on unmangaed machines, will NTLM (or other types of) authentication work?

    If Smoothie acts as a transparent proxy, you will log all the IPs of the users and you can cross reference that with your ClueSocket logs. A PITA but you can still find those little darlings that are looking for pr0n.

  14. #12
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Quote Originally Posted by Ric_ View Post
    @ICTNUT: If the users are on unmangaed machines, will NTLM (or other types of) authentication work?

    If Smoothie acts as a transparent proxy, you will log all the IPs of the users and you can cross reference that with your ClueSocket logs. A PITA but you can still find those little darlings that are looking for pr0n.
    Hmm thats a good point, I have a script that runs which will only allow a single logon instance for any student or staff with the time, date, IP, and pc name being logged to a central database so finding out who did what is not really going to be that much of an issue.

    I will have a play and let you know.

  15. #13
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Where on the smoothie do we set transparent proxy then......?

  16. #14

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,599
    Thank Post
    109
    Thanked 766 Times in 597 Posts
    Rep Power
    181
    Quote Originally Posted by ICTNUT View Post
    Where on the smoothie do we set transparent proxy then......?
    Gaurdian -> Web Proxy

    Just give me remote access to your systems and I'll set it up for you shall I?

  17. #15
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Error - NTLM in Terminal Services compatibility mode cannot be used with 'Transparent' enabled

    Which one should I set it to then?

    Ident by IP??

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Smoothwall Web Content Filter Problem
    By trekmad in forum Internet Related/Filtering/Firewall
    Replies: 8
    Last Post: 15th March 2009, 07:53 AM
  2. Advice needed on content filter setup
    By netadmin in forum Wireless Networks
    Replies: 5
    Last Post: 21st May 2008, 02:43 PM
  3. VMWare internet content filter server
    By netadmin in forum *nix
    Replies: 3
    Last Post: 30th May 2007, 08:12 AM
  4. Replies: 13
    Last Post: 4th October 2006, 10:42 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •