Web: Example for Implementing Permission Control on Users Who Access the Internet Through an HTTP Proxy Server

This section provides an example for implementing permission control on users who access the Internet through an HTTP proxy server. When a user sends a packet to access the Internet through an HTTP proxy server, the FW parses the X-Forwarded-For field in the HTTP packet to obtain the user identity and controls the permission of the user.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

The AD identity authentication mechanism is enabled on the intranet, and information about users and user group is saved on an AD server.
Employees access the Internet through an HTTP proxy server.

Figure 1 Implementing permission control on users who access the Internet through an HTTP proxy server

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

Information about users and departments is saved on the FW and can be referenced by policies.
Employees use domain accounts to log in to AD domains and access network resources. Employees are identified by the user names they use to log in to AD domains.

Configuration Roadmap

In this example, only the procedure for configuring the FW to implement permission control on users whose access the Internet through an HTTP proxy server. For details on how to configure AD SSO to enable users to go online from the FW, see the configuration examples of AD SSO.

If the HTTP proxy server does not support the addition of X-Forwarded-For field in HTTP packet, the FW cannot obtain the real IP addresses of users. As a result, the FW cannot implement user-based security control.

Configure AD SSO.

To implement permission control on users who access the Internet through an HTTP proxy server, ensure that the FW has obtained user identities before the users go online. In this example, when users log in to the AD domain, the FW has obtained user identities through the AD SSO function, namely, the users go online from the FW.
Enable XFF proxy-based user control so that the FW can parse the X-Forwarded-For field in an HTTP packet to obtain the real IP address of the user. Then the device can obtain the user name corresponding to the IP address.
Configure an authentication policy for not authenticating the traffic whose source IP address is a proxy server address.
Configure a security policy.

Procedure

Configure AD SSO. For details, see:
- Web: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to receive messages from PCs)
- Web: Example for Configuring AD SSO for Internet Access Users (the FW Monitoring AD Authentication Packets)
Choose Object > User > Authentication Option > Global Configuration, enable XFF proxy-based user control and specify the proxy server IP address.
Choose Object > User > Authentication Policy, click Add to create authentication policies.
1. Configure an authentication policy and set the action to not authenticate for the traffic initiated by the proxy server.
  
  Name
  
  auth_policy_proxy
  
  Source Zone
  
  trust
  
  Source Address/Region
  
  10.3.0.0/24
  
  Action
  
  No authentication
2. Configure an authentication policy and set the action to authentication-exempt for the traffic by users to access the Internet.
  
  Name
  
  auth_policy_user
  
  Source Zone
  
  trust
  
  Source Address/Region
  
  10.3.0.0/24
  
  Action
  
  Authentication exemption
  
  The FW directly uses the AD domain authentication result, and therefore, the action for the authentication policy is authentication-exempt.
If the proxy server and users are on the same network segment, configure an authentication policy on the proxy server and then configure a user authentication policy.
After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Configure the security policy that references users prior to configuring the security policy that references the proxy server IP address. After the FW identifies the user identity after receiving a packet, the FW only adds the user name as the user identity. The source IP address of the packet is still the IP address of the proxy server. If you configure the security policy that references the proxy server IP address prior to configuring the security policy that references users, traffic matches the security policy that references the proxy server IP address but not the security policy that references users.
Configure a security policy for permitting the proxy server to access the Internet.

Name

policy_sec_proxy

Source Zone

trust

Destination Zone

untrust

Source Address

10.3.0.2/32

Action

Permit

Name	auth_policy_proxy
Source Zone	trust
Source Address/Region	10.3.0.0/24
Action	No authentication

Name	auth_policy_user
Source Zone	trust
Source Address/Region	10.3.0.0/24
Action	Authentication exemption

Name	policy_sec_proxy
Source Zone	trust
Destination Zone	untrust
Source Address	10.3.0.2/32
Action	Permit

Verification

Choose Object > User > Online User to display information about online users.
Employees can properly access network resources.
You can find that the policy referencing users is matched. For example, choose Policy > Security Policy to view the policy matching count in security policy list.

Configuration Scripts

#
 sysname FW
# 
 user-manage xff-parse proxy-ip 10.3.0.2
#
security-policy
  rule name policy_sec_proxy    
  source-zone trust
  source-address 10.3.0.2 32     
  destination-zone untrust
  action permit
#
auth-policy
 rule name auth_policy_user
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
 rule name auth_policy_proxy
  source-zone trust
  source-address 10.3.0.2 32
  action none
#