Password protect websites with watchguard

I would like to limit access to some websites for certain staff. Is there a way to only allow access to certain websites using a user name and password. Our firewall is a watchguard. How would I do this?
stevek65Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
Yes this is possible.

Please have a look at one of the previous answers of mine and update if you need any more specific configuration details:
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Watchguard_Firewall/Q_26176879.html

Thank you.
0
stevek65Author Commented:
I am trying to allow only certain teachers to FaceBook and YouTube. Any ideas?
0
dpk_walCommented:
Create one new HTTP service [other than the existing one]; configure as below:
Enabled and allowed; from static-ip-of-teacher's-machines; to public-ip-of-all-websites

If the machines are not on static IP then add user [either local or from external server]; and configure the service as below:
Enabled and allowed; from username-groupname-for-teachers; to public-ip-of-all-websites

Thank you.
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

stevek65Author Commented:
I think I have the policy created, where do I get the java applet from?
0
dpk_walCommented:
Go to following address to open java applet for authentication:
https://internal-ip-of-wg:4100 [or would be http based on WG software]

Please let know if you need more details.

Thank you.
0
stevek65Author Commented:
I am going to https://191.168.0.1:4100/ which is the ip of our internal watchguard and I get unable to connect.
0
dpk_walCommented:
What is the version of WG software that you are running and also model of firebox.
0
stevek65Author Commented:
10.2
0
dpk_walCommented:
Go to Policy Manager; Edit WatchGuard Authentication policy (WG-Auth); ensure for WG-Auth connections are Allowed is selected; From should contain Any; To should contain Firebox [if the policy itself is missing then add it].
Finally you should have created either local users or enabled extended authentication and added users/groups.

If yes then, http://internal-ip:4100 should get response.

Just a check, you are using 191.168.0.1 and not 192.168.0.1 internally; right?

Thank you.
0
stevek65Author Commented:
That did not work.
0
dpk_walCommented:
Some details than one liners would really help. If you can post few sanitized logs or some sanitized screenshot that would help with troubleshooting.

Thank you.
0
stevek65Author Commented:
Now I get the firewall login. Now what do I do? I did create a user in the firewall but there is no password.
0
dpk_walCommented:
As you have not configured any password; logon to applet with username and click OK; you should get authenticated successfully.

Try to access a restricted site you should not be able to gain access.

Create a new HTTP service, configure as:
Enabled and allowed; from group-or-username; to restricted-website-public-ip

Save to firebox.

Now log on to java applet again; try access to restricted website; access should be granted.

Thank you.
0
stevek65Author Commented:
Could I just put enabled from group to any?
0
dpk_walCommented:
Yes you can.
0
stevek65Author Commented:
Once I get authenticated, I type in the url www.youtube.com and it gives me denied by watchguard.
0
dpk_walCommented:
If you go to Authentication List tab of Firebox System Manager; you should see the user listed. Is it the same user you have added in the service.

Can you post the sanitized screenshot of the service you have created.
0
stevek65Author Commented:
In the WatchGuard Authentication policy (WG-Auth); From contains Any-Trusted, Any-Optional
0
dpk_walCommented:
No; you need to grant access using some policy; for eg if you wish to allow web traffic then use HTTP service; you can also create custom service depending on the traffic you wish to allow.
0
stevek65Author Commented:
I did create a policy. You said the wg-auth should have from any.
0
dpk_walCommented:
WG-auth is for getting the java applet; whereas the policy would allow resource to the authorized users.

Any-trusted, any-optional is also fine; it means you are only allowing access to the java applet from behind the firebox be on trusted or optional interfaces.
0
stevek65Author Commented:
Here is the policy that I created
one.jpg
0
dpk_walCommented:
The policy looks good; do you see the user [which would be part of group Staff] listed in the authentication tab as I asked earlier.
0
stevek65Author Commented:
Yes I do.
0
dpk_walCommented:
And you are only trying to access the website which has these IPs; how about if you browse by IP instead; what do you see.
If you are able to hit google then it means that when your machine does DNS resolution for google it is using IP other than the 4 listed above.

Enable logging on the current HTTP service and this new HTTP service; look at traffic monitor and see through which policy is the traffic allowed.

Looks to me the traffic is going out through the existing service and not the new service you created.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevek65Author Commented:
Did not get resolved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.