Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Jan 2019
    Posts
    3

    Default Captive Portal Pass Rules

    Device is in-line, between LAN and a separate firewall, and is in bridged mode. The device is going to be used to authenticate and track web usage only.

    I am trying to configure the Captive Portal but I need to pass certain web traffic through without authentication. For anything with a known IP or Port, the pass rules work just fine. We use agent based remote monitoring software that uses web (both 80 and 443) traffic to communicate between the agent and the web portal so we need to pass certain web traffic without authenticating.

    I have created pass rules using the HTTP: Hostname condition but the traffic is still being blocked by the Capture All rule (the pass rules are above the Capture All rule). When I look at the 'All Session Events' under the Captive portal it only lists IP addresses. I can see the hostnames in the Web Monitor events log and the pass rules appear to match up but I may have made some incorrect assumptions on the syntax.

    So my questions are:

    1. Is it possible to pass specific hostnames for the monitoring agent but still require authentication for general web browsing?

    2. If #1 is yes, is HTTP: Hostname the correct condition to use and is the wildcard (*) allowed? (ie *.domain.com)

    Thanks.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,729

    Default

    1) Yes, but beware thats only going to work with *HTTP* traffic, not HTTPS because you can't see the hostname header of HTTPS traffic.
    The modern web is mostly https.

    2) Yes, for HTTP.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jan 2019
    Posts
    3

    Default

    Well that makes perfect sense, thanks for the clarification.

    Couldn't we use the SSL Inspector to decrypt this traffic in order to make the headers readable to the Captive Portal. Is that correct?
    Last edited by bhimel; 01-11-2019 at 08:52 AM. Reason: clarity

  4. #4
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,671

    Default

    Yes, but only if your target hosts trust the Untangle CA. That means pushing a fresh certificate into a rather sensitive place of the certificate store on those machines. And even then, there's Firefox, which uses it's own store rather than relying on Windows, and certificate pinning will also defeat you on occasion.
    Last edited by jcoehoorn; 01-11-2019 at 09:54 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  5. #5
    Newbie
    Join Date
    Jan 2019
    Posts
    3

    Default

    When you refer to the 'target host' you are refering to the local device correct?

    Pardon my ignorance on the certificates but is there any significant risk to installing the cert from the Untangle device on the indivdaul workstations? Don't we need to do that anyway in order to silence the browser security warnings?

  6. #6
    Untangler
    Join Date
    Aug 2016
    Posts
    54

    Default

    Yes, the local device.

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,671

    Default

    Quote Originally Posted by bhimel View Post
    When you refer to the 'target host' you are refering to the local device correct?
    Yes, that's correct.

    Quote Originally Posted by bhimel View Post
    Pardon my ignorance on the certificates but is there any significant risk to installing the cert from the Untangle device on the indivdaul workstations?
    Depends on how you do it. If you control the machines and can install the certificate yourself, there's no issue. If you're asking end users to do this, many of them may not be able to do it at all (it requires administrator access on the machine), and even for those that can do it, it sets really bad expectations. I really don't want end users thinking it's okay to mess around and add any odd certificate to the store. There's nothing technically dangerous here, but it's a direct attack on the weakest link of your security: your user behavior.

    Quote Originally Posted by bhimel View Post
    Don't we need to do that anyway in order to silence the browser security warnings?
    No. Everything but SSL Inspector uses the same certificate in Untangle, and you can replace this certificate with one provided by a certificate authority that's already trusted by the major platforms, such as DigiCert or Comodo. I'm looking forward to eventual Let's Encrypt support.
    Last edited by jcoehoorn; 01-24-2019 at 07:39 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2