Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Jan 2019
    Posts
    3

    Default Captive Portal Pass Rules

    Device is in-line, between LAN and a separate firewall, and is in bridged mode. The device is going to be used to authenticate and track web usage only.

    I am trying to configure the Captive Portal but I need to pass certain web traffic through without authentication. For anything with a known IP or Port, the pass rules work just fine. We use agent based remote monitoring software that uses web (both 80 and 443) traffic to communicate between the agent and the web portal so we need to pass certain web traffic without authenticating.

    I have created pass rules using the HTTP: Hostname condition but the traffic is still being blocked by the Capture All rule (the pass rules are above the Capture All rule). When I look at the 'All Session Events' under the Captive portal it only lists IP addresses. I can see the hostnames in the Web Monitor events log and the pass rules appear to match up but I may have made some incorrect assumptions on the syntax.

    So my questions are:

    1. Is it possible to pass specific hostnames for the monitoring agent but still require authentication for general web browsing?

    2. If #1 is yes, is HTTP: Hostname the correct condition to use and is the wildcard (*) allowed? (ie *.domain.com)

    Thanks.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,648

    Default

    1) Yes, but beware thats only going to work with *HTTP* traffic, not HTTPS because you can't see the hostname header of HTTPS traffic.
    The modern web is mostly https.

    2) Yes, for HTTP.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jan 2019
    Posts
    3

    Default

    Well that makes perfect sense, thanks for the clarification.

    Couldn't we use the SSL Inspector to decrypt this traffic in order to make the headers readable to the Captive Portal. Is that correct?
    Last edited by bhimel; 01-11-2019 at 08:52 AM. Reason: clarity

  4. #4
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,616

    Default

    Yes, but only if your target hosts trust the Untangle CA. That means pushing a fresh certificate into a rather sensitive place of the certificate store on those machines. And even then, there's Firefox, which uses it's own store rather than relying on Windows, and certificate pinning will also defeat you on occasion.
    Last edited by jcoehoorn; 01-11-2019 at 09:54 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  5. #5
    Newbie
    Join Date
    Jan 2019
    Posts
    3

    Default

    When you refer to the 'target host' you are refering to the local device correct?

    Pardon my ignorance on the certificates but is there any significant risk to installing the cert from the Untangle device on the indivdaul workstations? Don't we need to do that anyway in order to silence the browser security warnings?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2