Http Proxy 1

[darren97]

Hi

Our head office has a Watchguard x1250e running Fireware v9.0. We have web blocker running and an http proxy policy that prevents users from downloading exe's etc. I am fairly new to Watchguard but because of the http proxy rule (everyone's default gateway is the firewall) as an administartor I am prevented from downloading software updates etc. is there a way to either create a user based exclusion in the http proxy filter or create an http filter based on user / group membership.

Many Thanks ina advance
Darren

Regards, Darren

 

[unclerico]

Absolutely. Here's how.

- Go under Setup -> Authentication -> Authentication Servers.
- A dialog will open and you will be presented with five choices; Firebox, RADIUS, SecurID, LDAP, and Active Directory. In my case I used Active Directory since I have a predefined group created with all of the required members in the group as well as a user account created to query the GC.
- Once you get your Authenication Server situation squared away (I don't know which one you will use so I haven't gotten too deep in explanation; reply with your desired configuraiton and we can help you more if needed) you'll need to go back into Setup -> Authentication -> Authorized Users/Groups. This is where you will enter the name of the user or group that can authenticate to the Firebox to bypass your other proxies/filters. In my case since I am using Active Directory, I typed in my group name (exact spelling and case sensitive I believe) and chose Active Directory from the drop down.
- Once that is complete, then create a new policy. In the From area remove Any-Trusted and then click Add..., scroll down until you find your group that you created earlier. - Save your config.
- Now open a web browser and type in

https://ip-or-dns-name-of-firewall:4100.

You will be given a login page. Enter your credentials and click login. Now you can bypass your proxies/filters as necessary.
- If you close the browser window that you used to authenticate you will still be authenticated for a while so be sure to either choose Logout or go to the FSM, click on the tab labeled Authentication List, find your user account, right-click and choose Log Off User.



I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[darren97]

Hi Unclerico.

Thanks ever so much for the excellent reply, I'll give it a go right now and let you know how I get on.

Thanks
Darren

Regards, Darren

 

[darren97]

Hi Unclerico


That worked fine using the FB-DB as the authentication, AD wouldn't work, I kept getting a Authentication Failed: 'LDAP binding failed, credentials are not correct, please try again'
On another note, and I am happy to post a new request, I am having issues with site-to-site VPN's and the Waychguard. If for example I modify a phase 2 setting on the watchguard it will often knock out a few of the existing VPNS and I get irrate users phoning me, we have 20 remote sites connecting over citrix. I also find sometimes that on the phase 2 setting I have to enable PFS and then match that on the client router before the VPN tunnel will come up. We are using Draytek routers at the client sites which worked perfectly with the FB700 model. I know its me not doing something right, any advice, best practises, documentation you know of.

Thanks in advance
Darren

Regards, Darren