Hello Rashid,
I am glad some of that information worked for you.
Regarding the Authentication breaking some of the things , its no surprise as not all of the applications are OK with a man in the middle performing the Auth, some of those app do have higher security settings then other, so you would need to disable the Auth for those specific Application by finding out what URLs destinations are required for those apps to operate (policy trace) and then just disable Auth for them.
But for the rest of the destinations make sure you do use the Form Based Auth, as the hand devices dont understand NTLM or Kerberos etc, it has to be basic Auth with a form.
You are correct if you device to go transparent , that would save some time from configuring the Explict settings on each phone, but would still add more work as you would need to install the Proxies SSL Decryption Certificate or its CA in to each phone, and then you will be dealing with SSL Decryption issues instead of the Auth issues etc, catch 22 there.
I would stay with Explcit if you have the option to change the explicit setting on the hand devices, this simplifies things a lot.
Good luck to you.
Slava.
Original Message:
Sent: 10-13-2020 07:22 AM
From: sohail rashid
Subject: Explicit Proxy for Mobile Devices
Hello Slava,
Thank you so much for the detail and clear response. So I created a separate SSID and subnet for mobile devices. in each mobile device in the mobile device wifi settings configured the Explicit Proxy IP (proxy IP, port 8080, username and password). Then I configured a script in policy file as "detect_protocol(none) authenticate(no)" "ssl.forward_proxy(no)" for the new subnet. it worked as expected. But since the authentication is bypassed I can not generate reports, like internet usage by each user, applying policy on each user etc. So I enabled the authentication. But some of the applications are not working after enabling authentication. like i just checked Instagram is not working.. May be in coming days i will go for transparent proxy option, but that would required some configuration on switch I think. Thanks again for the great response.
Original Message:
Sent: 10-08-2020 11:27 AM
From: Slava Vasilasco
Subject: Explicit Proxy for Mobile Devices
Hello Rashid,
What doe you mean here exactly, please expand on this with more technical terms " we forward the traffic to proxy from mobile devices (By setting in mobile phones)".
a. Are you simply connecting connecting the mobile phones to an AP that has its traffic routed trough the proxy ?
b. Or you have each mobile device in the mobile device wifi settings configured the Explicit Proxy IP?.
If a. then you have the following options. This mean that the user traffic is coming in to the proxy Transparently.
1. Separating the Mobile devices Wifi from the (corporate) laptops Wifif bu having a separate SSID and DHCP server for the Mobile devices thus placing the mobile devices on a different subnet , then on the proxy you can apply specific policies based on a subnet , say disable Authentication and Decryption.
2. If you do want to do Authentication for mobile device , you will need to perform SSL Interception for the mobile device traffic, this will require you to install the SSL Certificate used for Decryption or the Root CA that signed this Cert in to every hand device inside the Trusted Root CA directory. This will fix the Certificate Error issue and will have proxy decypt the traffic thus allowing the proxy to perform Authentication for these device, you will have to create a separate Policy and use the Form Based Authentication for the subnet that the Mobile users are coming from, assuming that you have made the separation.
If "b" then you have the following options. This mean that the users traffic is coming to the proxy Explicitely.
1. Separating the Mobile devices Wifi from the (corporate) laptops Wifif bu having a separate SSID and DHCP server for the Mobile devices thus placing the mobile devices on a different subnet , then on the proxy you can apply specific policies based on a subnet , say disable Authentication and Disable Decryption etc. But should you want to enable Authentication for mobile devices then for the subnet you can enable Authentication using a Form Base Auth (Basic) this will bring a web page asking for AD credentials,
2. Or keep both the laptops and the mobile devices on the same subnet, and enable Form Base Auth for both, and disable SSL Interception.
3. Or Create a new Virtual IP , then configure a new Explicit HTTP Service Listener using the new virtual IP. You can then configure the Mobile Phones Explicit settings to point to the Proxy Virtual IP, then you can build policies based on the Explicit IP that the mobile users explicitly connect to get to the proxy.
4. Or On the Proxy you can use the user agent string as a condition to build policies, you can create a condition with all of the Mobile and Hand Devices user Agents and apply actions like Authenticate or dont , ssl intercept or dont, allow deny, etc. If the traffic is explicit the the CONNECT request is in clear and does provide proxy with the User agent string for the HTTPS traffic without decryption and that is nice.
Bottom line is , your options are staring to become available once you have separated the two , laptops from mobile networks so the proxy can see them coming from two different subnets.
I hope this helps.
Slava
Original Message:
Sent: 10-06-2020 01:59 AM
From: sohail rashid
Subject: Explicit Proxy for Mobile Devices
We have ASG-S200-30 as explicit forward proxy. both mobiles and laptops in our org are connected through same network / SSID. The problem is when we forward the traffic to proxy from mobile devices (By setting in mobile phones), it gives authentication and certificate error. How you are treating traffic from mobile devices in proxy?