Solved

SonicWall won't forward web proxy login

Posted on 2010-11-21
15
2,050 Views
Last Modified: 2012-05-10
My customer uses an outside web proxy provider that has two methods of authenticating users: 'IP Range Authentication' and 'Explicit User Authentication'. Up until recently, this customer has just wanted to apply a single default web policy to all users, so we enabled 'IP Range Authentication' on the proxy service provider's console, provided the outside IP of the SonicWALL router, and configured the 'Web Proxy' option in the SonicWall (TZ 190 running SonicOS Enhanced 3.6.0.1-23e) to forward all web traffic to the provider's server (port 8080), which meant we didn't have to bother with all the proxy settings on the individual stations. This has worked just fine until now that the customer would like to have more granular control and reporting.

So the problem is that we switched from 'IP Range' to "Explicit User Authentication', but for some reason the login prompt from the proxy server doesn't come up when a user opens their browser. Instead it's a 'Cache Access Denied' error page coming from the proxy server (squid). I first thought it was a problem on the service provider's end, but I found that if I enable the proxy server on a machine inside the network instead of the Web Proxy page on the SonicWall it seems to work fine (i.e. login dialog box comes up when a user opens the browser, enters their username and password, and can continue to browse the Internet).

Something important to note: I'm aware that an LDAP-integrated solution is better in some circumstances, but aside from the fact that this form of authentication is what the customer wants, they are also in the middle of a domain migration from an underdeveloped Active Directory. This is also why I'm not going to just be able to setup a simple group policy as they have several thin clients that aren't even members of any domain yet. The web proxy forward mechanism on the SonicWall works well to solve this problem, but for some reason won't pass the login dialog prompt onto the user when we enable it on the proxy server.

In an effort to get something going I actually tried enabling the Premium CFS filter on the SonicWall to see if I could just move filtration to it to get around the problem, but found a totally new problem in that when I enable it on the SonicWall for some reason it seems to do nothing at all - no dialog prompt but no error either... just lets you browse the Internet as though there's no filter or authentication mechanisms at all.
0
Comment
Question by:ajahnke
  • 9
  • 6
15 Comments
 

Author Comment

by:ajahnke
ID: 34185659
After looking at the SonicWall logs I see that every time I make a web request and get that error, the following entry is logged, in which the source is the wan-side proxy server and the destination is the inside client IP address. Looks like this is where the login is dying (maybe?):

Message
TCP connection dropped

Source
OUTSIDE IP, 8080, WAN

Destination
INSIDE IP, 57948 (NAT Port), LAN


0
 
LVL 33

Expert Comment

by:digitap
ID: 34202433
appears it's wanting some open ports to allow the proper auth protocol through.  you might try creating an address object for your external proxy (if you don't already have one) and create firewall access rules and NAT policies accordingly...as a test:

access rule:

WAN > LAN Allow
source: external_proxy; destination: Any; Service: Any

NAT Policies:

WAN > LAN
source: external_proxy; translated: original; destination: WAN IP; translated: Any; service: any; translated: original

LAN > WAN

source: Any; translated: original; destination: external_proxy; translated: original; service: Any; translated: original

you'll need to select the interface of the respected WAN and LAN zones are assigned to

0
 

Author Comment

by:ajahnke
ID: 34219167
I'm giving this a try right now, however in the drop-down for 'Translated Destination' in setting up the WAN>LAN NAT Policy, the option for 'Any' doesn't exist. Am I misinterpreting that part of your instructions? I haven't gotten to the LAN>WAN policy yet so I'll let you know what I find there. For now I'm going to set that field to 'All Interface IP', which seems to be the most of inclusive and/or close to 'Any' I can see.
0
 

Author Comment

by:ajahnke
ID: 34219206
OK - I was able to complete the rest of that setup without any problems but I'm still experiencing the same issue. So I'm not sure if I got that first NAT policy wrong or not, but I'm still seeing the event log showing dropped inbound activity from the proxy server on port 8080 destined for my inside test machine... seems like it's blocking the inbound authentication request. Maybe I have something conflicting with that, like maybe the admin interface, or...? I'm going to keep poking for now.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34219294
ok...here's another option: run the public server wizard. the public server wizard will setup all the firewall access rule and NAT policies and address objects for you.  then, you can go back and change the services to include "Any" for ingress/egress rules and policies.  make sense?
0
 

Author Comment

by:ajahnke
ID: 34219439
I think so - I actually found another article on a similar topic and tried that, although I didn't make the modification you suggested. Instead, I simply ran the public server wizard and mapped port 8080 to my test server. And yet, for some unknown reason, the log still says TCP Connection Dropped. It's very frustrating not know why it's doing that - there's nothing listed in the 'Rule' column of the event log entry. I'm actually trying to setup Viewpoint on this firewall right now to try to see why it's doing this. I certainly don't see any firewall rules preventing this inbound traffic but that doesn't mean I'm not missing something, although any explicit rules would have had to have been added by me anyway, so I really doubt there are any in there. It's just a bit frustrating seeing the event log entry telling you 'what' it's done, but not 'why' it's done it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34219478
to see that information, something simpler to setup is the syslogger.  obtain kiwi syslogger and configure syslogger on the sonicwall.  if memory serves, log the syslog.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:ajahnke
ID: 34219562
Well, now I think I've really messed it up. I tried to go back and just use the proxy in the browser and for some reason it would go out this time - just timed out. Not only that, but I'm also no longer able to log into the firewall itself. I have no idea if I locked it up or what. I'm still connected to the machines on the inside of it, so I know it's passing traffic, but I can't seem to get HTTP or HTTPS to work on anything at this point.
0
 

Author Comment

by:ajahnke
ID: 34219570
Nevermind - it let me back in; must have just been hung up for a bit.
0
 

Accepted Solution

by:
ajahnke earned 0 total points
ID: 34234092
Well, I ended up 'solving' this by going the opposite direction and using GPOs to push out the proxy settings to both the separate domains. I wanted to avoid having to do this, but it looks like there isn't a way (or not one that I've found) to pass a proxy login dialog box through a Sonicwall with Web Proxy enabled.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34234147
hi...sorry you weren't able to find a solution here.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34234237
by the way, i was reviewing your closing comments and you indicate:

I'm only giving this a 'B' because I ended up having to use a workaround instead of solving the root problem, which I still don't know whether or not there even is a solution to.

which answer did you choose to give a 'B' to?
0
 

Author Comment

by:ajahnke
ID: 34234308
Oh - I was giving my workaround a 'B' because it wasn't the actual solution. I really appreciate your help on this and I'm sure we probably could have solved it if we could have gotten the Sonicwall to stop arbitrarily dropping connections. Unfortunately I ran out of time to try to make that work that way.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34234335
i understand...gave it a good try.

by the way, when choosing your own solution, you don't typically give it a grade as you can't aware yourself points.  now, if you'd chosen one of my solutions as a assisted solution, THEN you could have given that a B while choosing your final solution as the primary solution.  Just FYI...
0
 

Author Closing Comment

by:ajahnke
ID: 34272814
I'm only giving this a 'B' because I ended up having to use a workaround instead of solving the root problem, which I still don't know whether or not there even is a solution to.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now