Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Password protect websites with watchguard

Posted on 2010-08-16
26
Medium Priority
?
728 Views
Last Modified: 2012-08-13
I would like to limit access to some websites for certain staff. Is there a way to only allow access to certain websites using a user name and password. Our firewall is a watchguard. How would I do this?
0
Comment
Question by:stevek65
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 13
26 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33451715
Yes this is possible.

Please have a look at one of the previous answers of mine and update if you need any more specific configuration details:
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Watchguard_Firewall/Q_26176879.html

Thank you.
0
 

Author Comment

by:stevek65
ID: 33454077
I am trying to allow only certain teachers to FaceBook and YouTube. Any ideas?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33455188
Create one new HTTP service [other than the existing one]; configure as below:
Enabled and allowed; from static-ip-of-teacher's-machines; to public-ip-of-all-websites

If the machines are not on static IP then add user [either local or from external server]; and configure the service as below:
Enabled and allowed; from username-groupname-for-teachers; to public-ip-of-all-websites

Thank you.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:stevek65
ID: 33456120
I think I have the policy created, where do I get the java applet from?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33461461
Go to following address to open java applet for authentication:
https://internal-ip-of-wg:4100 [or would be http based on WG software]

Please let know if you need more details.

Thank you.
0
 

Author Comment

by:stevek65
ID: 33464381
I am going to https://191.168.0.1:4100/ which is the ip of our internal watchguard and I get unable to connect.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33476436
What is the version of WG software that you are running and also model of firebox.
0
 

Author Comment

by:stevek65
ID: 33476542
10.2
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33476867
Go to Policy Manager; Edit WatchGuard Authentication policy (WG-Auth); ensure for WG-Auth connections are Allowed is selected; From should contain Any; To should contain Firebox [if the policy itself is missing then add it].
Finally you should have created either local users or enabled extended authentication and added users/groups.

If yes then, http://internal-ip:4100 should get response.

Just a check, you are using 191.168.0.1 and not 192.168.0.1 internally; right?

Thank you.
0
 

Author Comment

by:stevek65
ID: 33485528
That did not work.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33485929
Some details than one liners would really help. If you can post few sanitized logs or some sanitized screenshot that would help with troubleshooting.

Thank you.
0
 

Author Comment

by:stevek65
ID: 33487184
Now I get the firewall login. Now what do I do? I did create a user in the firewall but there is no password.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33487310
As you have not configured any password; logon to applet with username and click OK; you should get authenticated successfully.

Try to access a restricted site you should not be able to gain access.

Create a new HTTP service, configure as:
Enabled and allowed; from group-or-username; to restricted-website-public-ip

Save to firebox.

Now log on to java applet again; try access to restricted website; access should be granted.

Thank you.
0
 

Author Comment

by:stevek65
ID: 33487379
Could I just put enabled from group to any?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33487403
Yes you can.
0
 

Author Comment

by:stevek65
ID: 33487439
Once I get authenticated, I type in the url www.youtube.com and it gives me denied by watchguard.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33487503
If you go to Authentication List tab of Firebox System Manager; you should see the user listed. Is it the same user you have added in the service.

Can you post the sanitized screenshot of the service you have created.
0
 

Author Comment

by:stevek65
ID: 33487586
In the WatchGuard Authentication policy (WG-Auth); From contains Any-Trusted, Any-Optional
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33487641
No; you need to grant access using some policy; for eg if you wish to allow web traffic then use HTTP service; you can also create custom service depending on the traffic you wish to allow.
0
 

Author Comment

by:stevek65
ID: 33487681
I did create a policy. You said the wg-auth should have from any.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33487770
WG-auth is for getting the java applet; whereas the policy would allow resource to the authorized users.

Any-trusted, any-optional is also fine; it means you are only allowing access to the java applet from behind the firebox be on trusted or optional interfaces.
0
 

Author Comment

by:stevek65
ID: 33487809
Here is the policy that I created
one.jpg
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33488422
The policy looks good; do you see the user [which would be part of group Staff] listed in the authentication tab as I asked earlier.
0
 

Author Comment

by:stevek65
ID: 33488465
Yes I do.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1000 total points
ID: 33488501
And you are only trying to access the website which has these IPs; how about if you browse by IP instead; what do you see.
If you are able to hit google then it means that when your machine does DNS resolution for google it is using IP other than the 4 listed above.

Enable logging on the current HTTP service and this new HTTP service; look at traffic monitor and see through which policy is the traffic allowed.

Looks to me the traffic is going out through the existing service and not the new service you created.

Thank you.
0
 

Author Comment

by:stevek65
ID: 33627795
Did not get resolved.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question