Connect for Chromebooks Setup Guide

This document is supplementary to the information contained in the Smoothwall Product Documentation, which is available from the Support section of our smoothwall.com website: http://smoothwall.com/technology/support

Connect for Chromebooks

Setup Guide

P a g e | 2

11 March 2016

Introduction The Connect for Chromebooks extension is a custom utility that can be deployed to all Chromebooks on your network. Once the user is logged into the Chromebook, Connect for Chromebooks handles any subsequent authentication requests.

Contents

CONNECT FOR CHROMEBOOKS SETUP GUIDE ............................................................................ 1

INTRODUCTION ........................................................................................................................... 2

PART 1: DISTRIBUTE THE SMOOTHWALL HTTPS CERTIFICATE TO ALL CHROMEBOOKS ............... 3

PART 2: DISTRIBUTE THE CONNECT FOR CHROMEBOOK EXTENSION TO YOUR CHROMEBOOKS 5

PART 3: (OPTIONAL): SETTING UP USER IDENTITY VERIFICATION USING GOOGLE’S AUTHENTICATION SERVICE ......................................................................................................... 8

PART 4: SET UP FILTERING AND ACCESS POLICIES ON THE SMOOTHWALL ............................... 12

Unauthenticated Chromebooks Group .......................................................................................................... 12

Guardian Authentication Policy ..................................................................................................................... 12

Guardian Authentication Exception Policy ..................................................................................................... 13

Guardian Filtering Whitelist Policy ................................................................................................................. 13

Guardian HTTPS Do Not Inspect Policy........................................................................................................... 14

External Access .............................................................................................................................................. 14

PART 5: ROLLING OUT PROXY SETTINGS TO THE CHROMEBOOK USERS ................................... 15

PART 6: HOW TO FILTER CHROMEBOOKS WHEN EXTERNAL TO THE NETWORK ....................... 17

PART 7 (OPTIONAL): GRANTING PERMISSION FOR CONNECT FOR CHROMEBOOKS .................. 18

Connect for Chromebooks

Setup Guide

P a g e | 3

11 March 2016

Part 1: Distribute the Smoothwall HTTPS Certificate to all Chromebooks Important: If you have recently changed the hostname of the Smoothwall and are having issues with Connect for Chromebooks, check to make sure the hostname in the certificate matches with the hostname of the Smoothwall.

1. On the Smoothwall, go to Services > Authentication > Chromebook.

2. From the HTTPS certificate section, click Download certificate.

3. Save the downloaded certificate to a safe location.

4. Navigate to the Google Admin console — https://admin.google.com.

5. Click Device management.

6. From the DEVICE SETTINGS menu, click Network.

7. Click Certificates.

8. Click ADD CERTIFICATE.

9. Select the Smoothwall certificate downloaded in step 3.

Connect for Chromebooks

Setup Guide

P a g e | 4

11 March 2016

10. Select Use this certificate as an HTTPS certificate authority for the certificate you have uploaded.

11. Click Save.

12. Log out of the Google Admin console.

Connect for Chromebooks

Setup Guide

P a g e | 5

11 March 2016

Part 2: Distribute the Connect for Chromebook Extension to Your Chromebooks 1. Log into the Google Admin console — https://admin.google.com.

2. Click Device management.

3. From the DEVICE SETTINGS menu, click Chrome management.

4. Click User settings.

5. Scroll down to Apps and Extensions.

6. From the Force-installed Apps and Extension section, click Manage force-installed apps.

Connect for Chromebooks

Setup Guide

P a g e | 6

11 March 2016

7. Click Specify a Custom App.

8. Enter the following ID: ldmijmkolialklggnnlgaodhaemipjmn

9. Enter the following URL: https://clients2.google.com/service/update2/crx

10. Click Add"

Connect for Chromebooks

Setup Guide

P a g e | 7

11 March 2016

11. The Smoothwall Connect for Chromebooks extension should now be listed in the right hand panel. Click Save.

12. You can avoid having students install third party extensions and apps to get around the web filtering, by choosing Block all apps and extensions except the ones I allow from the Allow or Block All Apps and Extensions drop-down.

13. Click SAVE CHANGES.

Connect for Chromebooks

Setup Guide

P a g e | 8

11 March 2016

Part 3: (Optional): Setting up user identity verification using Google’s authentication service The following is needed if you have enabled user verification via the Google authentication service.

1. Go to https://console.developers.google.com and log in as an admin user.

If it is the first time you login as a new user you will be prompted to accept the Google terms and conditions.

2. Create a new project.

3. Enter a suitable Project Name, for example, Smoothwall Login. Project ID is automatically filled in and does not need to be changed.

4. Click Create.

5. Once the page has refreshed and the project has been created, click Enable and manage APIs.

6. From the API Manger menu on the left, click Credentials.

Connect for Chromebooks

Setup Guide

P a g e | 9

11 March 2016

7. Select the OAuth consent screen tab.

8. Configure the following:

a) Email address — From the drop-down list, select the email address of the relevant administrator.

b) Product name — Enter the project name created previously at the beginning of this section.

9. Click Save.

You are returned to the Credentials page.

10. From the New credentials drop-down menu, select OAuth client ID.

11. Configure the following:

a) Application type — Select Web application

b) Name — Configure an appropriate name for the credentials web application, for example, Smoothwall Login

Connect for Chromebooks

Setup Guide

P a g e | 10

11 March 2016

c) Authorized JavaScript origins — Enter the URL of the Smoothwall appliance’s hostname, suffixed with port 442. For example:

https://proxy.smoothtest.com:442

Note: The URL used must be the hostname of the Smoothwall which Chromebooks will resolve via DNS. If Chromebook Authentication is to be configured for external offsite access, the URL must have a public DNS record which resolves to the Smoothwall's external IP address.

d) Authorized redirect URI — Enter the URL configured for Authorized JavaScript origins, with oauth2callback as the path, For example:

https://proxy.smoothtest.com:442/oauth2callback

Tip: If you are presented with an origin_mismatch error, check to make sure the Authorized JavaScript origins URL and the Smoothwall hostname match. If you are presented with an invalid_client error, this indicates the Client ID and Client Secret have not been configured correctly. Check the details match in both the Google Admin console and the Smoothwall Services > Authentication > Chromebooks.

Connect for Chromebooks

Setup Guide

P a g e | 11

11 March 2016

12. Click Create.

The Client ID for web application is returned. Make a note of the Client ID and Client Secret as the Smoothwall needs these to communicate with Google.

Tip: You can access this information again on the Google Developers console > Credentials page.

13. On the Smoothwall, go to Services > Authentication > Chromebook.

14. Configure the Smoothwall to validate the user identity.

Ensure you enter the Client ID and Client Secret noted previously, when prompted.

For a detailed description of how to configure the Smoothwall to verify the user’s identity, go to:

https://help.smoothwall.com/Framlingham/Content/ui/auth/google.htm.

Connect for Chromebooks

Setup Guide

P a g e | 12

11 March 2016

Part 4: Set up filtering and access policies on the Smoothwall

Unauthenticated Chromebooks Group You can configure the steps the Smoothwall takes when processing web requests from unauthenticated Chromebooks.

1. On the Smoothwall, go to Services > Authentication > Groups.

2. Configure a new group name for unauthenticated Chromebooks.

For a detailed description of how to add new groups, go to:

https://help.smoothwall.com/Framlingham/Content/modules/auth/cgi-bin/auth/groups.htm

Guardian Authentication Policy Guardian authentication policies are specific to your organization’s needs. You must configure an additional Non-transparent – Core authentication policy, and set this as the first authentication method on any Smoothwall interface.

Additionally, for clients to successfully proxy through when offsite, a supplementary authentication policy for Global Proxy using NTLM must be configured. Ensure this policy is configured on the same interface as the Non-transparent – Core authentication policy. Set this supplementary policy directly below the Non-transparent – Core authentication policy created previously. For more information, see Part 7: How to Filter Chromebooks when External to the Network on page 17.

Tip: Step 3 of the Web proxy authentication policy wizard provides options for unauthenticated requests. If required, you can select the group created previously for unauthenticated Chromebooks.

For a detailed description of how to configure authentication policies, go to https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm

For a detailed description of how to order the authentication policies, go to https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/authpolicy.htm

Connect for Chromebooks

Setup Guide

P a g e | 13

11 March 2016

The resultant Authentication policy table should look something like this screenshot. In this example, the supplementary addition of the Global Proxy using NTLM has been configured for external proxy clients:

Guardian Authentication Exception Policy You must create a Guardian authentication exception policy for the Connect for Chromebooks category.

For a detailed description of how to configure an authentication exception policy, go to: https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/authexceptions.htm.

Guardian Filtering Whitelist Policy You must create a Guardian whitelist policy, with the following configuration:

• Who — Everyone

• What — Connect for Chromebooks

• Where — Everywhere

• When — Always

• Action — Whitelist

Set the whitelist policy as the very first policy in the Web filter policies table on the Guardian > Web filter > Manage policies page.

For a detailed description of how to configure web filter policies, go to: https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/filteringpolicywiz.htm.

For a detailed description of how to reorder web filter policies, go to: https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/policies.htm.

Connect for Chromebooks

Setup Guide

P a g e | 14

11 March 2016

Guardian HTTPS Do Not Inspect Policy You must create a Guardian “do not inspect HTTPS packets” policy, with the following configuration:

• Who — Everyone

• What — Connect for Chromebooks

• Where — Everywhere

• When — Always

• Action — Do not inspect

Set the policy as the very first policy in the HTTPS inspection policies table on the Guardian > HTTPS inspection > Manage policies page.

For a detailed description of how to configure HTTPS inspection policies, go to: https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/httpspolicywiz.htm.

For a detailed description of how to reorder HTTPS inspection policies, go to: https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/https.htm.

External Access Add the following external access rules to the interface used by the Guardian authentication policies (if they do not already exist on System > Administration > External access):

• Other web access on HTTP (80)

• Other web access on HTTPS (442)

• DNS proxy (53)

• Optionally, you can add external access rules for the above 3 services on the External interface. This allows Chromebooks to proxy through the Smoothwall when not on your organization’s network.

For a detailed description of how to add external access rules, go to: https://help.smoothwall.com/Framlingham/Content/cgi-bin/admin/xtaccess.htm.

Connect for Chromebooks

Setup Guide

P a g e | 15

11 March 2016

Part 5: Rolling out proxy settings to the Chromebook users Source: https://support.google.com/chrome/a/answer/2657289

Important: Please note the proxy server must be specified in its URL format, and not by the IP address.

1. Log into the Google Admin console, https://admin.google.com.

2. Click Device management.

3. From the DEVICE SETTINGS menu on the left, click Chrome Management.

4. Click User Settings.

5. From the Network section, configure the following:

Proxy Mode — From the drop-down menu, select Always use the proxy specified below.

Proxy Server URL — Enter the URL of the Smoothwall appliance’s hostname, ensuring you append the correct port specified when creating the Guardian authentication policy (see Guardian Authentication Policy on page 12). For example: http://proxy.smoothwall.com:800.

Proxy Bypass List — Enter the hostname of the proxy, for example, proxy.smoothtest.com.

6. Click SAVE CHANGES.

Connect for Chromebooks

Setup Guide

P a g e | 16

11 March 2016

Additionally, you can choose to enforce proxy settings only when the Chromebooks are on your internal network. You do this in the Google Admin console. For a detailed description of how to do this, go to https://support.google.com/a/answer/2634553?hl=en > Add a Wi-Fi or Ethernet network configuration.

Connect for Chromebooks

Setup Guide

P a g e | 17

11 March 2016

Part 6: How to Filter Chromebooks when External to the Network Secure Global Proxy can be used to allow Chromebook users to be filtered by the Smoothwall when they are not connected to the internal network. To work effectively, Global Proxy requires the following:

• You must be able to point an external domain name to your publicly facing external IP address

• FQDN must resolvable both internally and externally

• If you have a firewall between the Smoothwall and your gateway, a port forward must be configured to forward your proxy port to the internal IP address of your Smoothwall

To be able to filter Chromebooks externally, you must create a Non-transparent – Global Proxy using NTLM Guardian authentication policy:

• Type — Non-transparent

• Method — Global Proxy using NTLM

• Interface — Select the relevant internal network interface

• Port — Select the relevant internal proxy port

• Where — Everywhere

• Options for unauthenticated requests — Choose the group configured for unauthenticated Chromebooks (see Unauthenticated Chromebooks Group on page 12)

For a detailed description of how to configure a Guardian authentication policy, go to: https://help.smoothwall.com/Framlingham/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm

Note: We recommend using client-side certificates when creating a Global Proxy using NTLM authentication policy. Client-side certificates must be manually installed directly into each individual Chromebook as they cannot be distributed via the Google Admin console. For ease of use, an Open Proxy can be used, but you should be aware this opens a port on the external interface. To set an Open Proxy with Global Proxy, go to Web proxy > Global proxy > Settings — go to: https://help.smoothwall.com/Framlingham/Content/ui/guardian/globalproxy.htm.

Connect for Chromebooks

Setup Guide

P a g e | 18

11 March 2016

Part 7 (optional): Granting Permission for Connect for Chromebooks The following is needed if you have enabled user verification via the Google authentication service.

Once the Connect for Chromebook extension has been distributed to all Chromebooks, they need to grant permission for it to access their personal data.

At this stage you should now be able to do a basic connectivity test to ensure the Smoothwall can talk to the extension:

1. Using a local Chromebook, browse to the client login page, using the following format:

https://<Smoothwall_proxy_hosthame>:442/modules/auth/cgi-bin/google/login.fcgi

where Smoothwall_proxy_hostname is the proxy URL specified in Part 5: Rolling out proxy settings to the Chromebook users on page 15.

Tip: If you are presented with an origin_mismatch error, check to make sure the Authorized JavaScript origins URL and the Smoothwall hostname match. If you are presented with an invalid_client error, this indicates the Client ID and Client Secret have not been configured correctly. Check the details match in both the Google Admin console and the Smoothwall Services > Authentication > Chromebooks.

Connect for Chromebooks

Setup Guide

P a g e | 19

11 March 2016

This should then display the client login page, with a Google login button in the top right:

2. Click the Google login button.

3. Accept the permission request.

Connect for Chromebooks

Setup Guide

P a g e | 20

11 March 2016

The Google login button should turn green when the user is successfully logged in.

Note: All Chromebook users must accept the permissions request the first time they log into their Chromebook.

For a detailed description of how to customize the client login page, and configure their Chromebook traffic to route through the Smoothwall proxy server, go to: https://help.smoothwall.com/Framlingham/Content/ui/auth/google.htm