Using the non-transparent HTTP proxy on a LANCOM R&S®Unified Firewall with local user authentication in terminal-server environments

Description:

Some scenarios require users on a terminal server to have access to the Internet only if they authenticate themselves first. This can be implemented using the LANCOM R&S®Unified Firewall with local user authentication in combination with the non-transparent HTTP proxy.

This article describes how to use the non-transparent HTTP proxy on a LANCOM R&S®Unified Firewall with local user authentication in terminal-server environments.

Requirements:

• LANCOM R&S® Unified Firewall with LCOS FX as of version 10.4
• A configured and functional Internet connection with local network on the Unified Firewall
• The local network cannot have any firewall rules that allow HTTP and HTTPS!
• Web browser for configuring the Unified Firewall.
  
  The following browsers are supported:
  • Google Chrome
  • Chromium
  • Mozilla Firefox

Procedure:

1) Configuration steps on the Unified Firewall:

1.1) Configuration of the HTTP proxy and user authentication:

1.1.1) Open the configuration interface of the Unified Firewall in your browser and go to the menu UTM → Proxy → HTTP Proxy Settings.

Screenshot of a technical configuration menu displaying various system settings including Firewall, Antivirus, Email Security, and Proxy configurations.

1.1.2) Under Plain HTTP proxy and HTTPS proxy, select the option Intransparent for each entry, and activate client authentication.

Then click on Save.

Image of a technical configuration interface for HTTP and HTTPS proxy settings, including options for enabling transparent or plain proxy, setting proxy certificates, choosing ciphers for compatibility, and managing client authentication and whitelists.

1.1.3) Navigate to the menu User Authentication → Internal Portal → Settings.

Screenshot of a technical configuration interface showing options like Firewall, Network, User Authentication, External and Internal Portal settings, among others.

1.1.4) Modify the following parameters and then click Save:

• Use the slider to activate the Internal Portal.
• Login Mode: Choose a mode suitable for your scenario. In this example, only Single Login is allowed.
• Web Login Port: This port is used to access the authentication page of the Unified Firewall. If the port specified here is already being used elsewhere (e.g. by the reverse proxy), the port must be changed here (e.g. to 8443).

Screenshot of a user interface displaying options for login management and web login port configuration, including single and multiple login settings, compatibility mode, and landing page preferences.

1.2) Activating user authentication for the network and/or host object used:

In order for network users to log in to the network, login must be allowed in the network and/or host object being used.

1.2.1) Network object:

On the desktop, click on the Network object and select the pencil icon to get to the settings.

Image showing a partial, unclear text possibly from a technical diagram or user interface.

Make sure that Allow login is activated.

Image of a network configuration interface displaying options such as SINTRANETnetwork, Saved version, Allow login, and Network IP settings.

1.2.2) Host object:

Click on the Host object and select the pencil icon to get to the settings.

Make sure that Allow login is activated.

Image of a technical user interface showing icons for computer, notebook, server, and printer, with options including 'WorkstationHost', 'Savedversion', and 'Reset'.

1.3) Create a local user with firewall rules on the Unified Firewall:

1.3.1) Change to the menu User Authentication → Local Users and click on the “+” icon to create a new local user.

Screenshot of a technical user interface displaying various user management options such as Local Users, User Authentication, LDAP Groups, and portals for internal and external user access.

1.3.2) Set the User name as a meaningful name and enter a password. Then click on Create.

Image of a user authentication configuration dialog with options to show password, require password change after next login, and buttons for saving or canceling changes.

1.3.3) Click the icon on the desktop to create a new user.

Image of a technical user interface showing options to activate a firewall and other settings.

1.3.4) Modify the following parameters and then click Create:

• Object Name: Enter a descriptive name.
• User Name : Select the user created in step 1.3.2 .

Screenshot of a user interface showing a configuration dialog box with options to preserve changes, an object named 'TestUser', and buttons for applying or canceling changes.

1.3.5) On the desktop, click the user object created in step 1.3.4, select the connection tool and click the Internet object to invoke the rules.

A screenshot of a confusing and poorly formatted technical user interface, possibly showing settings or configuration options with various unclear elements and labels.

1.3.6) Add the protocols HTTP and HTTPS from the list on the right.

Image displaying a technical configuration interface with options such as URLContentFilter, ApplicationFilter, and ApplicationBasedRouting, and features including user actions, scheduling, and editing functions.

1.3.7) For HTTP and HTTPS under Options, click NAT to open the advanced settings for each entry.

Screenshot of a network management interface showing configuration options such as URL Content Filter, Application Filter, and Application-Based Routing with editable rules and actions.

1.3.8) For each one, check the box next to Enable proxy for this service and click on OK.

Screenshot of a network configuration interface showing options for NAT masquerading, port forwarding settings, and DMZ configuration with fields for external and destination IP addresses and ports.  Screenshot showing the configuration settings of a user interface for network security, including options for NAT, port forwarding, and scheduled protocols.

1.3.9) Click Create to generate the firewall rule.

Screenshot of a network configuration interface displaying settings for user connections, content filtering, application filtering, and application-based routing.

1.3.10) Finally, implement the changes by clicking Activate.

A screenshot of a technical user interface displaying firewall settings.

2) Entering the HTTP proxy in the web browser of a network user:

Enter the HTTP proxy into the web browser of a network user as described in the Knowledge Base article Use the HTTP(S) proxy of a LANCOM R&S®Unified Firewall only in the browser under step 4.

3) Export of the HTTP proxy certificate and import it for network users:

Export the HTTP proxy certificate and import it for each network user. The procedure is described for a Windows PC in the Knowledge Base article LANCOM R&S®Unified Firewall: Configuring the HTTP(S) proxy to use UTM functions in step 3.

4) Authenticating a network user with the local user via web browser:

4.1) If a web browser tries to access a website, it automatically redirects to the login page. Enter the login data there (see step 1.3.2).

Screenshot of a LANCOM RS Unified Firewall login screen, prompting for username and password to access network rights.

4.2) After successfully authenticating, the network user can communicate with the Internet.

Screenshot of a firewall user interface showing a logged-in test user, network access details, and active sessions information.