Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen Seitenhistorie anzeigen

« Vorherige Version anzeigen Version 4 Nächste Version anzeigen »


Description:
In order to be able to use the UTM functions of the LANCOM R&S®Unified Firewall (e.g. URL/Content Filter, antivirus), the HTTP(S) proxy in the device must be configured and activated. This document describes the configuration steps necessary for this.
Important notice:
      The
Application Filter does not require the HTTP(S) proxy
      . It analyzes all traffic that passes through the firewall, regardless of which port is used. How you
configure the application filter
      is described in the following document
    .

  • How you configure the URL/Content Filter is described in the following document .
  • How you configure the antivirus feature is described in the following document .

The HTTP(S) proxy serves as a middleman. It connects to the web server, uses its own HTTP(S) proxy CA to generate a pseudo-certificate for the website and uses this to connect to the browser. This allows the proxy to analyze traffic, apply URL and content filters, and scan for viruses.

Make sure that the DNS server of your LANCOM R&S®Unified Firewall correctly resolves the domains it accesses when the HTTP(S) proxy is active.

The DNS server of the Unified Firewall has to be entered on the network devices (static or dynamic via DHCP). As an alternative a separate local DNS server can be used. This DNS server has to forward the DNS requests to the DNS server of the Unified Firewall.







Requirements:
  • LANCOM R&S®Unified Firewall with firmware as of version 10 and an activated full license
  • A configured and functional Internet connection on the Unified Firewall
  • Functional packet filter on the Unified Firewall (see )
  • Any web browser for access to the web interface of the Unified Firewall




Procedure:
1) Enabling the HTTP(S) proxy:
1.1) Enable the HTTP(S) proxy in the menu UTM -> Proxy -> HTTP proxy settings.
1.2) For this example proxy operations should be transparent. With this setting, the Unified Firewall automatically forwards all requests that arrive on port 80 (HTTP) or port 443 (HTTPS) via the proxy.

If you select intransparent, the HTTP proxy of your Unified Firewalls must be explicitly set to port 10080 (HTTP) or 10443 (HTTPS).

1.3) In this example, the default certificate of the HTTPS proxy CA is used as the proxy CA. The CA (certificate authority) is used by the HTTP(S) proxy to issue pseudo-certificates.

The certificate authority is only displayed if the HTTPS proxy is set to transparent or intransparent.

1.4) In this example, no client authentication is performed. With this feature enabled, HTTP(S) client authentication is based on the Unified Firewall user administration.
1.5) Optionally you can whitelist domains that should be excluded from SSL inspection, virus scanning and URL filtering. Whitelisted domains are accepted by the HTTP(S) proxy without inspection and can be accessed directly with the user's browser.
No certificates are created. This setting is required by services that use strict certificate pinning, such as Windows Update at windowsupdate.com. You can add any number of domains. Type in a domain and click “+” to add it to the list.
You can edit or delete any entry in the list by clicking on the appropriate icon.
Tip:
    The domains can include the following placeholders: * and . for whole words, ? for single characters.
1.6) Click on the Save button to accept your settings.


2) Configure usage of the HTTP(S) proxy:
In this example, the LAN contains Windows PCs that can access the Internet. Throughout the LAN, access to web pages is forced to go via the HTTP(S) proxy of the Unified Firewall.
2.1) In the host/network groups desktop object for the LAN, click the connection icon and then click the WAN network object.
2.2) The dialog with the settings for this connection is opened. Now you have to click on the NAT option for the HTTP and/or HTTPS service.
2.3) Set a checkmark for the option Enable proxy for this service and click Save.
2.4) The entries in the list of services for HTTP and/or HTTPS should look like this. Click on Save again.
2.5) Finally, implement the configuration changes by clicking Activate in the firewall.


3) Export certificate and import it on a Windows PC:
In this example, the LAN contains numerous Windows PCs that can access the Internet. Access should be directed via the HTTP(S) proxy of the Unified Firewall.
3.1) Go to the menu Certificate management → Certificates.
3.2) Expand the Certificates menu and, for the certificate of the default HTTPS Proxy CA, click the export icon.
3.3) The certificate has to be exported in PEM format. Click the Export button to start the process.
3.4) On your computer, go to the folder where you exported the certificate.
3.5) In order to install the certificate under Windows, change the file extension from *.pem to *.crt.
Please note that you must have administrator rights to install the certificate on a Windows system.
3.6) Click the certificate file and acknowledge the subsequent security warning with OK.
3.7) In the Certificate dialog, select the option Install certificate.
3.8) In this example, the certificate installed on the local computer is to be used by all users of this computer.
3.9) Select the option Place all certificates in the following store, click Browse and select the Trusted root certification authorities store.
3.10) Click Next and continue until the Certificate Import Wizard is finished.
3.11) This concludes the certificate import. Any popular browser will be able to use the certificate after the computer is restarted.
Repeat the certificate import procedure (steps 3.7 to 3.11) on all of the other computers in the LAN.

Note on using the certificate in Mozilla Firefox:
Do the following to use the certificate in Mozilla Firefox: 
  • Enter the following into the address bar of the browser: about:config.
  • Search for the value security.enterprise_roots.enabled.
  • Change the value from false to true.
  • Restart the browser.



  • Keine Stichwörter